Changeset 60681 for trunk/src/wp-includes/class-wp-customize-manager.php

Timestamp:

08/27/2025 10:32:57 AM (4 months ago)

Author:

jonsurrell

Message:

Scripts: Use appropriate JSON encoding flags for script tags.

wp_json_encode() with default arguments is insufficient to safely escape JSON for script tags. Use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/9557.

Props devasheeshkaul, jonsurrell, siliconforks.
Fixes #63851.

File:

• trunk/src/wp-includes/class-wp-customize-manager.php (modified) (6 diffs)

trunk/src/wp-includes/class-wp-customize-manager.php

@@ -477 +477 @@
                 var preview = new api.Messenger( settings.messengerArgs );
                 preview.send( 'iframe-loading-error', settings.error );
-            } )( wp.customize, <?php echo wp_json_encode( $settings ); ?> );
+            } )( wp.customize, <?php echo wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?> );
             </script>
             <?php
@@ -2206 +2206 @@
         ?>
         <script>
-            var _wpCustomizeSettings = <?php echo wp_json_encode( $settings ); ?>;
+            var _wpCustomizeSettings = <?php echo wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?>;
             _wpCustomizeSettings.values = {};
             (function( v ) {
@@ -2219 +2219 @@
                         printf(
                             "v[%s] = %s;\n",
-                            wp_json_encode( $id ),
-                            wp_json_encode( $setting->js_value() )
+                            wp_json_encode( $id, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                            wp_json_encode( $setting->js_value(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
                         );
                     }
@@ -4989 +4989 @@
         ?>
         <script>
-            var _wpCustomizeSettings = <?php echo wp_json_encode( $settings ); ?>;
+            var _wpCustomizeSettings = <?php echo wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ); ?>;
             _wpCustomizeSettings.initialClientTimestamp = _.now();
             _wpCustomizeSettings.controls = {};
@@ -5001 +5001 @@
                     printf(
                         "s[%s] = %s;\n",
-                        wp_json_encode( $setting->id ),
-                        wp_json_encode( $setting->json() )
+                        wp_json_encode( $setting->id, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                        wp_json_encode( $setting->json(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
                     );
                 }
@@ -5014 +5014 @@
                     printf(
                         "c[%s] = %s;\n",
-                        wp_json_encode( $control->id ),
-                        wp_json_encode( $control->json() )
+                        wp_json_encode( $control->id, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
+                        wp_json_encode( $control->json(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
                     );
                 }