Changeset 60681 for trunk/src/wp-admin/includes/options.php

Timestamp:

08/27/2025 10:32:57 AM (8 months ago)

Author:

jonsurrell

Message:

Scripts: Use appropriate JSON encoding flags for script tags.

wp_json_encode() with default arguments is insufficient to safely escape JSON for script tags. Use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/9557.

Props devasheeshkaul, jonsurrell, siliconforks.
Fixes #63851.

File:

• trunk/src/wp-admin/includes/options.php (modified) (1 diff)

trunk/src/wp-admin/includes/options.php

@@ -38 +38 @@
         var $siteName = $( '#wp-admin-bar-site-name' ).children( 'a' ).first(),
             $siteIconPreview = $('#site-icon-preview-site-title'),
-            homeURL = ( <?php echo wp_json_encode( get_home_url() ); ?> || '' ).replace( /^(https?:\/\/)?(www\.)?/, '' );
+            homeURL = ( <?php echo wp_json_encode( get_home_url(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?> || '' ).replace( /^(https?:\/\/)?(www\.)?/, '' );
 
         $( '#blogname' ).on( 'input', function() {