Changeset 60681 for trunk/src/wp-includes/class-wp-customize-nav-menus.php

Timestamp:

08/27/2025 10:32:57 AM (8 months ago)

Author:

jonsurrell

Message:

Scripts: Use appropriate JSON encoding flags for script tags.

wp_json_encode() with default arguments is insufficient to safely escape JSON for script tags. Use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/9557.

Props devasheeshkaul, jonsurrell, siliconforks.
Fixes #63851.

File:

• trunk/src/wp-includes/class-wp-customize-nav-menus.php (modified) (2 diffs)

trunk/src/wp-includes/class-wp-customize-nav-menus.php

@@ -546 +546 @@
         );
 
-        $data = sprintf( 'var _wpCustomizeNavMenusSettings = %s;', wp_json_encode( $settings ) );
+        $data = sprintf( 'var _wpCustomizeNavMenusSettings = %s;', wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) );
         wp_scripts()->add_data( 'customize-nav-menus', 'data', $data );
 
@@ -1549 +1549 @@
             'navMenuInstanceArgs' => $this->preview_nav_menu_instance_args,
         );
-        wp_print_inline_script_tag( sprintf( 'var _wpCustomizePreviewNavMenusExports = %s;', wp_json_encode( $exports ) ) );
+        wp_print_inline_script_tag( sprintf( 'var _wpCustomizePreviewNavMenusExports = %s;', wp_json_encode( $exports, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ) );
     }