WordPress.org

Make WordPress Core

Opened 5 months ago

Last modified 5 months ago

#47350 new enhancement

Add method to get JSON from a file without using file_get_contents()

Reported by: aristath Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: trunk
Component: Script Loader Keywords: needs-patch
Focuses: Cc:
PR Number:

Description

This came up on a discussion about the use of file_get_contents() in WP Themes. Right now that function is banned and for good reason on w.org themes since it can be grossly abused and lead to malicious code.
However, recently it became a recommendation in https://github.com/WordPress/gutenberg/blob/9ce596cd568d30c76fd4a0257e2872da91d4966a/packages/dependency-extraction-webpack-plugin/README.md#wordpress

There was further discussion in the #core-editor slack channel - see https://wordpress.slack.com/archives/C02QB2JS7/p1558546491251400 for reference.

The suggestion was to add a new method/function to get what is required, without forcing plugin and theme authors to use file_get_contents(), and we could add any security checks required in that function.

Change History (3)

This ticket was mentioned in Slack in #core-editor by aristath. View the logs.


5 months ago

#2 @youknowriad
5 months ago

  • Component changed from Editor to Script Loader

I wonder if this should just be the default behavior of wp_register_script if you omit the "deps" argument. It could go check if there's a dependency file with the same name as the script and load it.

#3 @aristath
5 months ago

Interesting suggestion... And makes perfect sense. If we have a way to register script dependencies outside of wp_register_script, then omitting the deps argument should load the defaults

Note: See TracTickets for help on using tickets.