WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
08/27/2025 10:32:57 AM (7 months ago)
Author:
jonsurrell
Message:

Scripts: Use appropriate JSON encoding flags for script tags.

wp_json_encode() with default arguments is insufficient to safely escape JSON for script tags. Use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags.

Developed in https://github.com/WordPress/wordpress-develop/pull/9557.

Props devasheeshkaul, jonsurrell, siliconforks.
Fixes #63851.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/widgets/class-wp-widget-media-video.php

    r56597 r60681  
    200200            sprintf(
    201201                'wp.mediaWidgets.modelConstructors[ %s ].prototype.schema = %s;',
    202                 wp_json_encode( $this->id_base ),
    203                 wp_json_encode( $exported_schema )
     202                wp_json_encode( $this->id_base, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
     203                wp_json_encode( $exported_schema, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
    204204            )
    205205        );
     
    212212                    wp.mediaWidgets.controlConstructors[ %1$s ].prototype.l10n = _.extend( {}, wp.mediaWidgets.controlConstructors[ %1$s ].prototype.l10n, %3$s );
    213213                ',
    214                 wp_json_encode( $this->id_base ),
    215                 wp_json_encode( $this->widget_options['mime_type'] ),
    216                 wp_json_encode( $this->l10n )
     214                wp_json_encode( $this->id_base, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
     215                wp_json_encode( $this->widget_options['mime_type'], JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
     216                wp_json_encode( $this->l10n, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
    217217            )
    218218        );
Note: See TracChangeset for help on using the changeset viewer.