[wp-trac] [WordPress Trac] #58664: Eliminate manual construction of script tags in WP_Scripts

WordPress Trac noreply at wordpress.org
Sun Jul 2 01:03:17 UTC 2023 

#58664: Eliminate manual construction of script tags in WP_Scripts
--------------------------------------+-------------------------
 Reporter:  westonruter               |       Owner:  (none)
     Type:  defect (bug)              |      Status:  new
 Priority:  normal                    |   Milestone:  6.4
Component:  Script Loader             |     Version:  trunk
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:  javascript
--------------------------------------+-------------------------
Description changed by westonruter:

Old description:

> Helper functions for constructing script tags
> (`wp_print_inline_script_tag()`, `wp_get_inline_script_tag()`, and
> `wp_get_script_tag()`) were [https://make.wordpress.org/core/2021/02/23
> /introducing-script-attributes-related-functions-in-wordpress-5-7/ added]
> in WP 5.7. However, they were not implemented in `WP_Scripts` for where
> core prints the majority of its scripts. Some of the instances were
> replaced in [56033] for #12009, specifically for inline before/after
> scripts.
>
> 1. [https://github.com/WordPress/wordpress-
> develop/blob/260e97646db619c3c1bba0d400f1288b450ea701/src/wp-includes
> /class-wp-scripts.php#L413-L420 Main registered scripts]
> 2. [https://github.com/WordPress/wordpress-
> develop/blob/260e97646db619c3c1bba0d400f1288b450ea701/src/wp-includes
> /class-wp-scripts.php#L248 Extra scripts] (i.e. from
> `wp_localize_script()`)
> 3. [https://github.com/WordPress/wordpress-
> develop/blob/260e97646db619c3c1bba0d400f1288b450ea701/src/wp-includes
> /class-wp-scripts.php#L338 Translation scripts]
>
> Using the helper functions also makes the code much more readable as well
> as more robust by automatically escaping attribute values and allowing
> the `wp_script_attributes` and `wp_inline_script_attributes` filters to
> apply to the attributes being printed. It also ensures the non-HTML5
> CDATA wrapper comments are added consistently. This would seem to be a
> logical follow-up to #39941 which introduced these functions but didn't
> make use of them in `WP_Scripts`. This will facilitate adding CSP
> attributes to scripts that core prints.
>
> Caveat: Some plugins are (ab)using the `clean_url` filter to inject
> `async`/`defer` attributes into `script` tags. Such plugins will break
> with the adoption of these helper functions. Any such plugins should be
> updated to use the new script loading strategies instead, or inject
> attributes with the `script_loader_tag` filter which is a much better fit
> for this purpose.
>
> A [https://github.com/10up/wordpress-develop/pull/58 stale pull request]
> is exists which drafted this change.

New description:

 Helper functions for constructing script tags
 (`wp_print_inline_script_tag()`, `wp_get_inline_script_tag()`, and
 `wp_get_script_tag()`) were [https://make.wordpress.org/core/2021/02/23
 /introducing-script-attributes-related-functions-in-wordpress-5-7/ added]
 in WP 5.7. However, they were not implemented in `WP_Scripts` for where
 core prints the majority of its scripts. Some of the instances were
 replaced in [56033] for #12009, specifically for inline before/after
 scripts.

 1. [https://github.com/WordPress/wordpress-
 develop/blob/260e97646db619c3c1bba0d400f1288b450ea701/src/wp-includes
 /class-wp-scripts.php#L413-L420 Main registered scripts]
 2. [https://github.com/WordPress/wordpress-
 develop/blob/260e97646db619c3c1bba0d400f1288b450ea701/src/wp-includes
 /class-wp-scripts.php#L248 Extra scripts] (i.e. from
 `wp_localize_script()`)
 3. [https://github.com/WordPress/wordpress-
 develop/blob/260e97646db619c3c1bba0d400f1288b450ea701/src/wp-includes
 /class-wp-scripts.php#L338 Translation] [https://github.com/WordPress
 /wordpress-develop/blob/260e97646db619c3c1bba0d400f1288b450ea701/src/wp-
 includes/class-wp-scripts.php#L723 scripts]

 Using the helper functions also makes the code much more readable as well
 as more robust by automatically escaping attribute values and allowing the
 `wp_script_attributes` and `wp_inline_script_attributes` filters to apply
 to the attributes being printed. It also ensures the non-HTML5 CDATA
 wrapper comments are added consistently. This would seem to be a logical
 follow-up to #39941 which introduced these functions but didn't make use
 of them in `WP_Scripts`. This will facilitate adding CSP attributes to
 scripts that core prints.

 Caveat: Some plugins are (ab)using the `clean_url` filter to inject
 `async`/`defer` attributes into `script` tags. Such plugins will break
 with the adoption of these helper functions. Any such plugins should be
 updated to use the new script loading strategies instead, or inject
 attributes with the `script_loader_tag` filter which is a much better fit
 for this purpose.

 A [https://github.com/10up/wordpress-develop/pull/58 stale pull request]
 is exists which drafted this change.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58664#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list