Unable to use wp_kses* with JavaScript templating

[jernstjernst]

We're trying to use wp_kses* with our templates that use JavaScript templating (e.g. ​https://underscorejs.org/#template, ​https://ejs.co/) syntax, however to no avail.

Example 1 (<%=):

<?php
$html = '<script type="text/javascript"><%= data.answer %></script>';
echo wp_kses($html, ['script' => ['type' => true], '%' => []]);
?>

Expected result:

<script type="text/javascript"><%= data.answer %></script>

Actual result:

<script type="text/javascript"></script>

Example 2 (<%):

<?php
$html = '<script type="text/javascript"><% print('Hello'); %></script>';
echo wp_kses($html, ['script' => ['type' => true], '%' => []]);
?>

Expected result:

<script type="text/javascript"><% print('Hello'); %></script>

Actual result:

<script type="text/javascript"></script>

[swissspidy]

This is technically working as intended, as KSES is supposed to strip invalid/unsupported HTML markup. It is not meant to be used on things like Underscore templates.

See #30920 where this was previously discussed.

[jernstjernst]

Thanks @swissspidy and sorry I was not able to find this #30920.

In that case what is the preferred way to handle outputting underscore templates from plugins as we are not supposed to use echo?

[swissspidy]

IMO echo is a legitimate use case for such scenarios. You could also use wp_print_inline_script_tag