Changeset 60681 for trunk/src/wp-content/themes/twentytwenty/functions.php

Timestamp:

08/27/2025 10:32:57 AM (8 months ago)

Author:

jonsurrell

Message:

Scripts: Use appropriate JSON encoding flags for script tags.

wp_json_encode() with default arguments is insufficient to safely escape JSON for script tags. Use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/9557.

Props devasheeshkaul, jonsurrell, siliconforks.
Fixes #63851.

File:

• trunk/src/wp-content/themes/twentytwenty/functions.php (modified) (1 diff)

trunk/src/wp-content/themes/twentytwenty/functions.php

@@ -685 +685 @@
         sprintf(
             'wp.customize.selectiveRefresh.partialConstructor[ %1$s ].prototype.attrs = %2$s;',
-            wp_json_encode( 'cover_opacity' ),
-            wp_json_encode( twentytwenty_customize_opacity_range() )
+            wp_json_encode( 'cover_opacity', JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+            wp_json_encode( twentytwenty_customize_opacity_range(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
         )
     );