[wp-trac] [WordPress Trac] #58664: Eliminate manual construction of script tags in WP_Scripts

WordPress Trac noreply at wordpress.org
Mon Sep 25 21:15:00 UTC 2023 

#58664: Eliminate manual construction of script tags in WP_Scripts
-------------------------------------------------+-------------------------
 Reporter:  westonruter                          |       Owner:
                                                 |  westonruter
     Type:  defect (bug)                         |      Status:  closed
 Priority:  normal                               |   Milestone:  6.4
Component:  Script Loader                        |     Version:  6.3
 Severity:  normal                               |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests needs-dev-  |     Focuses:  javascript
  note                                           |
-------------------------------------------------+-------------------------
Changes (by westonruter):

 * keywords:  has-patch has-unit-tests => has-patch has-unit-tests needs-
     dev-note


Comment:

 Needs dev note because of existing ecosystem code that may filter
 `clean_url` instead of `script_loader_tag` to inject `async` & `defer`
 attributes. For example, [https://wpengine.com/resources/defer-parsing-
 javascript-
 wordpress/#:~:text=Theme%20Functions.-,Step%202%3A%20Insert%20the%20Following%20Code%20Snippet%20at%20the%20Bottom%20of%20Your%20File,-Once%20the%20file
 WP Engine article] and
 [https://wpdirectory.net/search/01HB72MJDACQ7MXTS213436YKV WPdirectory
 search]. This legacy method of injecting `async` and `defer` should be
 replaced with what was introduced in #12009, the script loading
 strategies. Using `clean_url` will no longer work since the script URL is
 being passed into `esc_url_raw()` (within which the `clean_url` filter is
 applied) and then the resulting URL is passed into
 `wp_sanitize_script_attributes` which ensures the attribute values are all
 properly escaped. Previously, no escaping was done on the return value of
 `esc_url()` meaning the `clean_url` filter could be abused for HTML
 attribute injection: this was incredibly brittle since it relied on single
 quoted attribute values to be used and it also inefficient since it
 applied on all escaped URLs, not just script URLs.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58664#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list