[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Wed Oct 7 12:01:42 UTC 2020
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner: (none)
Type: enhancement | Status: assigned
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests dev- | Focuses: javascript
feedback |
-------------------------------------------------+-------------------------
Comment (by enricocarraro):
I would also like to know your opinion on whether or not the `src`
escaping should be delegated to `wp_santitize_script_attributes`.
Reasons to escape inside `wp_santitize_script_attributes`:
* The function already escapes the other attributes;
* Developers wouldn't have to worry about escaping the value of any
attribute before passing it.
Reasons not to:
* Gives developers less control over the attribute value;
* esc_url() doesn't support relative URLs.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:49>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list