Opened 2 years ago
Last modified 2 years ago
#56425 new enhancement
wp_localize_script assign to const and freeze instead of var to avoid reassignments
Reported by: | malthert | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Script Loader | Keywords: | has-patch 2nd-opinion |
Focuses: | javascript | Cc: |
Description
wp_localize_script adds elements as "var".
To avoid accidental, silent overwrites by other plugins or malicious code, it would be better if we used a const and freeze the object, to disable reassignments.
Change History (6)
This ticket was mentioned in PR #3125 on WordPress/wordpress-develop by kkmuffme.
2 years ago
#1
- Keywords has-patch added
#2
@
2 years ago
- Focuses performance coding-standards removed
- Keywords 2nd-opinion added
- Version trunk deleted
I think this is a difficult change to make.
There are some valid scenarios where a plugin or theme would be adding to or adjusting values found in localized variables. If this were to change, it would potentially break backward compatibility for sites.
I could see adding a way for a developer to tell wp_localize_script()
to use const
instead, but I think applying this change everywhere by default would cause more problems than it would solve.
#3
@
2 years ago
- Keywords close added
Agreed. We also have a more customizable API for this nowadays with wp_add_inline_script
which I think we should be encouraging people to move to.
#4
@
2 years ago
- Keywords close removed
@desrosj
There are some valid scenarios
Could you perhaps give 2-3 examples of those? Because I didn't encounter any yet (that aren't an inherent XSS risk)
@TimothyBlynJacobs
wp_add_inline_script
has a much higher XSS risk when not used correctly compared to wp_localize_script
, so I'm not sure if it's really advisable to promote this for very basic text translations which are often used with unsafe methods (jQuery.html,...)
Especially given that the WP esc_js
function isn't really safe for JS output either.
By changing the localized variable to a const (and freezing it), it would encourage devs to actually move to wp_add_inline_script
if that is what is preferred.
#5
@
2 years ago
Could you perhaps give 2-3 examples of those?
I've seen developers write back to their global if values are empty.
myPluginVar.KEY = myPluginVar.KEY || 'My Default Value'
so I'm not sure if it's really advisable to promote this for very basic text translations
For localization developers should be moving to wp.i18n
.
#6
@
2 years ago
myPluginVar.KEY = myPluginVar.KEY 'My Default Value'
Which defeats the purpose of localizing in the first place, so this is a bad practice.
wp.i18n
Definitely!
Still we shouldn't neglect what is there in tons of sites and strive on keeping this as secure as possible, as legacy code often is the first point of attack.
Trac ticket: https://core.trac.wordpress.org/ticket/56425