Audit wp_json_encode() with appropriate JSON flags
#9557
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
sirreal
left a comment
sirreal
left a comment
There was a problem hiding this comment.
Thank you! This seems to address the issue in many places. I've reviewed all the changes and they appear correct.
I have one request to add a test case for wp_localize_script functionality. Are you comfortable handling that?
How comprehensive is this audit? I believe there were other usages that included some JSON flags. Did you consider those cases and whether they use appropriate flags, or is this only the cases with no flags?
| } | ||
|
|
||
| $script = "var $object_name = " . wp_json_encode( $l10n ) . ';'; | ||
| $script = "var $object_name = " . wp_json_encode( $l10n, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) . ';'; |
There was a problem hiding this comment.
This should fix the wp_localize_script problem mentioned in the ticket.
Will you add a test for wp_localize_script? The assertEqualHTML test helper should work nicely.
There was a problem hiding this comment.
Sure, I'll go ahead and add a test. Thank you!
Thank you for the review, @sirreal! Yes, I went through every instance of I'll do another pass to double check all usages and update the patch if I spot anything missed. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
sirreal
left a comment
sirreal
left a comment
There was a problem hiding this comment.
Great, this is very close, thanks for the updates! I just have a few minor adjustments I'd like to make before this is ready.
| if ( ! empty( $import_map['imports'] ) ) { | ||
| wp_print_inline_script_tag( | ||
| wp_json_encode( $import_map, JSON_HEX_TAG | JSON_HEX_AMP ), | ||
| wp_json_encode( $import_map, JSON_HEX_TAG | JSON_HEX_AMP | JSON_UNESCAPED_SLASHES ), |
There was a problem hiding this comment.
I don't think there's any reason to escape JSON_HEX_AMP generally. Let's remove that and be consistent in the usage:
| wp_json_encode( $import_map, JSON_HEX_TAG | JSON_HEX_AMP | JSON_UNESCAPED_SLASHES ), | |
| wp_json_encode( $import_map, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ), |
This was added in [57269], developed in #5818.
The only reason I'm aware of to escape & is for XHTML support, and that should be handled by CDATA wrappers as mentioned in #5818 (comment).
Pinging @luisherranz @swissspidy from the linked conversation in case there are specific concerns about the & character.
`wp_json_encode()` with default arguments is insufficient to safely escape JSON for script tags. Use `JSON_HEX_TAG | JSON_UNESCAPED_SLASHES` flags. Developed in #9557. Props devasheeshkaul, jonsurrell, siliconforks. Fixes #63851. git-svn-id: https://develop.svn.wordpress.org/trunk@60681 602fd350-edb4-49c9-b593-d223f7449a82
`wp_json_encode()` with default arguments is insufficient to safely escape JSON for script tags. Use `JSON_HEX_TAG | JSON_UNESCAPED_SLASHES` flags. Developed in WordPress/wordpress-develop#9557. Props devasheeshkaul, jonsurrell, siliconforks. Fixes #63851. Built from https://develop.svn.wordpress.org/trunk@60681 git-svn-id: http://core.svn.wordpress.org/trunk@60017 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`wp_json_encode()` with default arguments is insufficient to safely escape JSON for script tags. Use `JSON_HEX_TAG | JSON_UNESCAPED_SLASHES` flags. Developed in WordPress/wordpress-develop#9557. Props devasheeshkaul, jonsurrell, siliconforks. Fixes #63851. Built from https://develop.svn.wordpress.org/trunk@60681 git-svn-id: https://core.svn.wordpress.org/trunk@60017 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`wp_json_encode()` with default arguments is insufficient to safely escape JSON for script tags. Use `JSON_HEX_TAG | JSON_UNESCAPED_SLASHES` flags. Developed in WordPress#9557. Props devasheeshkaul, jonsurrell, siliconforks. Fixes #63851. git-svn-id: https://develop.svn.wordpress.org/trunk@60681 602fd350-edb4-49c9-b593-d223f7449a82
Specifically the addition of JSON_UNESCAPED_SLASHES as a flag. See: WordPress/wordpress-develop#9557
2 participants
This patch audits the use of
wp_json_encode()where encoded data is used inside script tags/elements and updates those calls to use safer encoding flags (JSON_HEX_TAGandJSON_UNESCAPED_SLASHES)Trac ticket: https://core.trac.wordpress.org/ticket/63851
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.