[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline

WordPress Trac noreply at wordpress.org
Tue Oct 6 12:31:26 UTC 2020


#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
 Reporter:  tomdxw                               |       Owner:  (none)
     Type:  enhancement                          |      Status:  assigned
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Security                             |     Version:  4.8
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests dev-        |     Focuses:  javascript
  feedback                                       |
-------------------------------------------------+-------------------------

Comment (by enricocarraro):

 Currently [https://github.com/WordPress/wordpress-
 develop/blob/b846378649ac2d3a1c8dc81a8901ca4a4d926006/src/wp-
 includes/functions.php#L7637-L7674 the function] responsible sanitizing
 script attributes does not escape attribute names, but only attribute
 values.
 Do you think it would be necessary to escape also attribute names?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:48>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list