WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
01/15/2026 11:11:45 AM (8 weeks ago)
Author:
jonsurrell
Message:

Script Loader: Use HTML API to generate SCRIPT tags.

Script tags have complicated and unintuitive parsing rules that make them difficult to author correctly. The HTML API automatically escapes script tag contents as necessary and will set attributes correctly. Using the HTML API to generate SCRIPT tags improves safety when working with SCRIPT tags, resolving a class of issues that have manifested repeatedly.

Changeset [61418] applied the HTML API to generate style tags in a similar way.

Developed in https://github.com/WordPress/wordpress-develop/pull/10639.

Props jonsurrell, dmsnell, westonruter.
Fixes #64500. See #64419, #40737, #62797, #63851, #51159.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/tests/phpunit/tests/dependencies/wpInlineScriptTag.php

    r61482 r61485  
    165165        );
    166166    }
     167
     168    /**
     169     * Test failure conditions setting inline script tag contents.
     170     *
     171     * @ticket 64500
     172     */
     173    public function test_script_tag_dangerous_unescapeable_contents() {
     174        $this->setExpectedIncorrectUsage( 'wp_get_inline_script_tag' );
     175        /*
     176         * </script> cannot be printed inside a script tag
     177         * the `example/example` type is an unknown type with no known escaping rules.
     178         * The only choice is to abort.
     179         */
     180        $result = wp_get_inline_script_tag(
     181            '</script>',
     182            array( 'type' => 'example/example' )
     183        );
     184        $this->assertSame( '', $result );
     185    }
    167186}
Note: See TracChangeset for help on using the changeset viewer.