Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#56425 new enhancement

wp_localize_script assign to const and freeze instead of var to avoid reassignments

Reported by: malthert's profile malthert Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Script Loader Keywords: has-patch 2nd-opinion
Focuses: javascript Cc:

Description

wp_localize_script adds elements as "var".

To avoid accidental, silent overwrites by other plugins or malicious code, it would be better if we used a const and freeze the object, to disable reassignments.

Change History (6)

This ticket was mentioned in PR #3125 on WordPress/wordpress-develop by kkmuffme.


2 years ago
#1

  • Keywords has-patch added

#2 @desrosj
2 years ago

  • Focuses performance coding-standards removed
  • Keywords 2nd-opinion added
  • Version trunk deleted

I think this is a difficult change to make.

There are some valid scenarios where a plugin or theme would be adding to or adjusting values found in localized variables. If this were to change, it would potentially break backward compatibility for sites.

I could see adding a way for a developer to tell wp_localize_script() to use const instead, but I think applying this change everywhere by default would cause more problems than it would solve.

#3 @TimothyBlynJacobs
2 years ago

  • Keywords close added

Agreed. We also have a more customizable API for this nowadays with wp_add_inline_script which I think we should be encouraging people to move to.

#4 @kkmuffme
2 years ago

  • Keywords close removed

@desrosj

There are some valid scenarios

Could you perhaps give 2-3 examples of those? Because I didn't encounter any yet (that aren't an inherent XSS risk)

@TimothyBlynJacobs

wp_add_inline_script has a much higher XSS risk when not used correctly compared to wp_localize_script, so I'm not sure if it's really advisable to promote this for very basic text translations which are often used with unsafe methods (jQuery.html,...)
Especially given that the WP esc_js function isn't really safe for JS output either.

By changing the localized variable to a const (and freezing it), it would encourage devs to actually move to wp_add_inline_script if that is what is preferred.

#5 @TimothyBlynJacobs
2 years ago

Could you perhaps give 2-3 examples of those?

I've seen developers write back to their global if values are empty.

myPluginVar.KEY = myPluginVar.KEY || 'My Default Value'

so I'm not sure if it's really advisable to promote this for very basic text translations

For localization developers should be moving to wp.i18n.

#6 @kkmuffme
2 years ago

myPluginVar.KEY = myPluginVar.KEY
'My Default Value'

Which defeats the purpose of localizing in the first place, so this is a bad practice.

wp.i18n

Definitely!
Still we shouldn't neglect what is there in tons of sites and strive on keeping this as secure as possible, as legacy code often is the first point of attack.

Note: See TracTickets for help on using tickets.