Changeset 61485

Timestamp:

01/15/2026 11:11:45 AM (5 weeks ago)

Author:

jonsurrell

Message:

Script Loader: Use HTML API to generate SCRIPT tags.

Script tags have complicated and unintuitive parsing rules that make them difficult to author correctly. The HTML API automatically escapes script tag contents as necessary and will set attributes correctly. Using the HTML API to generate SCRIPT tags improves safety when working with SCRIPT tags, resolving a class of issues that have manifested repeatedly.

Changeset [61418] applied the HTML API to generate style tags in a similar way.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/10639.

Props jonsurrell, dmsnell, westonruter.
Fixes #64500. See #64419, #40737, #62797, #63851, #51159.

Location:

trunk

Files:

• src/wp-includes/script-loader.php (modified) (3 diffs)
• tests/phpunit/tests/dependencies/wpInlineScriptTag.php (modified) (1 diff)

trunk/src/wp-includes/script-loader.php

@@ -2881 +2881 @@
     $attributes = apply_filters( 'wp_script_attributes', $attributes );
 
-    return sprintf( "<script%s></script>\n", wp_sanitize_script_attributes( $attributes ) );
+    $processor = new WP_HTML_Tag_Processor( '<script></script>' );
+    $processor->next_tag();
+    foreach ( $attributes as $name => $value ) {
+        /*
+         * Lexical variations of an attribute name may represent the
+         * same attribute in HTML, therefore it’s possible that the
+         * input array might contain duplicate attributes even though
+         * it’s keyed on their name. Calling code should rewrite an
+         * attribute’s value rather than sending a duplicate attribute.
+         *
+         * Example:
+         *
+         *     array( 'id' => 'main', 'ID' => 'nav' )
+         *
+         * In this example, there are two keys both describing the `id`
+         * attribute. PHP array iteration is in key-insertion order so
+         * the 'id' value will be set in the SCRIPT tag.
+         */
+        if ( null !== $processor->get_attribute( $name ) ) {
+            continue;
+        }
+
+        $processor->set_attribute( $name, $value ?? true );
+    }
+    return "{$processor->get_updated_html()}\n";
 }
 
@@ -2902 +2926 @@
  *
  * It is possible to inject attributes in the `<script>` tag via the {@see 'wp_inline_script_attributes'} filter.
- * Automatically injects type attribute if needed.
+ *
+ * If the `$data` is unsafe to embed in a `<script>` tag, an empty script tag with the provided
+ * attributes will be returned. JavaScript and JSON contents can be escaped, so this is only likely
+ * to be a problem with unusual content types.
+ *
+ * Example:
+ *
+ *     // The dangerous JavaScript in this example will be safely escaped.
+ *     // A string with the script tag and the desired contents will be returned.
+ *     wp_get_inline_script_tag( 'console.log( "</script>" );' );
+ *
+ *     // This data is unsafe and `text/plain` cannot be escaped.
+ *     // The following will return `""` to indicate failure:
+ *     wp_get_inline_script_tag( '</script>', array( 'type' => 'text/plain' ) );
  *
  * @since 5.7.0
+ * @since 7.0.0 Returns an empty string if the data cannot be safely embedded in a script tag.
  *
  * @param string                     $data       Data for script tag: JavaScript, importmap, speculationrules, etc.
  * @param array<string, string|bool> $attributes Optional. Key-value pairs representing `<script>` tag attributes.
- * @return string String containing inline JavaScript code wrapped around `<script>` tag.
+ * @return string HTML script tag containing the provided $data or the empty string `""` if the data cannot be safely embedded in a script tag.
  */
 function wp_get_inline_script_tag( $data, $attributes = array() ) {
@@ -2925 +2963 @@
     $attributes = apply_filters( 'wp_inline_script_attributes', $attributes, $data );
 
-    return sprintf( "<script%s>%s</script>\n", wp_sanitize_script_attributes( $attributes ), $data );
+    $processor = new WP_HTML_Tag_Processor( '<script></script>' );
+    $processor->next_tag();
+    foreach ( $attributes as $name => $value ) {
+        /*
+         * Lexical variations of an attribute name may represent the
+         * same attribute in HTML, therefore it’s possible that the
+         * input array might contain duplicate attributes even though
+         * it’s keyed on their name. Calling code should rewrite an
+         * attribute’s value rather than sending a duplicate attribute.
+         *
+         * Example:
+         *
+         *     array( 'id' => 'main', 'ID' => 'nav' )
+         *
+         * In this example, there are two keys both describing the `id`
+         * attribute. PHP array iteration is in key-insertion order so
+         * the 'id' value will be set in the SCRIPT tag.
+         */
+        if ( null !== $processor->get_attribute( $name ) ) {
+            continue;
+        }
+
+        $processor->set_attribute( $name, $value ?? true );
+    }
+
+    if ( ! $processor->set_modifiable_text( $data ) ) {
+        _doing_it_wrong(
+            __FUNCTION__,
+            __( 'Unable to set inline script data.' ),
+            '7.0.0'
+        );
+        return '';
+    }
+
+    return "{$processor->get_updated_html()}\n";
 }
 

trunk/tests/phpunit/tests/dependencies/wpInlineScriptTag.php

@@ -165 +165 @@
         );
     }
+
+    /**
+     * Test failure conditions setting inline script tag contents.
+     *
+     * @ticket 64500
+     */
+    public function test_script_tag_dangerous_unescapeable_contents() {
+        $this->setExpectedIncorrectUsage( 'wp_get_inline_script_tag' );
+        /*
+         * </script> cannot be printed inside a script tag
+         * the `example/example` type is an unknown type with no known escaping rules.
+         * The only choice is to abort.
+         */
+        $result = wp_get_inline_script_tag(
+            '</script>',
+            array( 'type' => 'example/example' )
+        );
+        $this->assertSame( '', $result );
+    }
 }