WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
08/27/2025 10:32:57 AM (8 months ago)
Author:
jonsurrell
Message:

Scripts: Use appropriate JSON encoding flags for script tags.

wp_json_encode() with default arguments is insufficient to safely escape JSON for script tags. Use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags.

Developed in https://github.com/WordPress/wordpress-develop/pull/9557.

Props devasheeshkaul, jonsurrell, siliconforks.
Fixes #63851.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/class-wp-customize-widgets.php

    r60290 r60681  
    833833            'customize-widgets',
    834834            'data',
    835             sprintf( 'var _wpCustomizeWidgetsSettings = %s;', wp_json_encode( $settings ) )
     835            sprintf( 'var _wpCustomizeWidgetsSettings = %s;', wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) )
    836836        );
    837837
     
    860860                       wp.customizeWidgets.initialize( "widgets-customizer", %s );
    861861                    } );',
    862                     wp_json_encode( $editor_settings )
     862                    wp_json_encode( $editor_settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
    863863                )
    864864            );
     
    867867            wp_add_inline_script(
    868868                'wp-blocks',
    869                 'wp.blocks.unstable__bootstrapServerSideBlockDefinitions(' . wp_json_encode( get_block_editor_server_block_settings() ) . ');'
     869                'wp.blocks.unstable__bootstrapServerSideBlockDefinitions(' . wp_json_encode( get_block_editor_server_block_settings(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ');'
    870870            );
    871871
     
    881881                    );
    882882                }
    883                 $script = sprintf( 'for ( const source of %s ) { wp.blocks.registerBlockBindingsSource( source ); }', wp_json_encode( $filtered_sources ) );
     883                $script = sprintf( 'for ( const source of %s ) { wp.blocks.registerBlockBindingsSource( source ); }', wp_json_encode( $filtered_sources, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) );
    884884                wp_add_inline_script(
    885885                    'wp-blocks',
     
    890890            wp_add_inline_script(
    891891                'wp-blocks',
    892                 sprintf( 'wp.blocks.setCategories( %s );', wp_json_encode( get_block_categories( $block_editor_context ) ) ),
     892                sprintf( 'wp.blocks.setCategories( %s );', wp_json_encode( get_block_categories( $block_editor_context ), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ),
    893893                'after'
    894894            );
     
    13351335        }
    13361336        wp_print_inline_script_tag(
    1337             sprintf( 'var _wpWidgetCustomizerPreviewSettings = %s;', wp_json_encode( $settings ) )
     1337            sprintf( 'var _wpWidgetCustomizerPreviewSettings = %s;', wp_json_encode( $settings, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) )
    13381338        );
    13391339    }
Note: See TracChangeset for help on using the changeset viewer.