[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Tue Oct 6 12:31:26 UTC 2020
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner: (none)
Type: enhancement | Status: assigned
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests dev- | Focuses: javascript
feedback |
-------------------------------------------------+-------------------------
Comment (by enricocarraro):
Currently [https://github.com/WordPress/wordpress-
develop/blob/b846378649ac2d3a1c8dc81a8901ca4a4d926006/src/wp-
includes/functions.php#L7637-L7674 the function] responsible sanitizing
script attributes does not escape attribute names, but only attribute
values.
Do you think it would be necessary to escape also attribute names?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:48>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list