Changes between Initial Version and Version 1 of Ticket #39941, comment 121
- Timestamp:
- 08/07/2025 08:59:28 AM (4 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #39941, comment 121
initial v1 1 @amanandhishoe I think this is thewrong approach. It is simpler to trust any inline script that has been output by functions in the WordPress API, like `wp_add_inline_script` and discard other inline scripts. If an external actor can output a new script tag through those functions, the site is already compromised by other means.1 @amanandhishoe I think this is a wrong approach. It is simpler to trust any inline script that has been output by functions in the WordPress API, like `wp_add_inline_script` and discard other inline scripts. If an external actor can output a new script tag through those functions, the site is already compromised by other means. 2 2 3 3 Yes, there can be a case, where malicious user input is passed to the inputs to the inline script output functions themselves, but you're still unlikely to filter or sanitize them robustly by static analysis and the injected payload can be obfuscated anyways.