[wp-trac] [WordPress Trac] #51482: wp_kses_post should filter javascript content as well as the <script> tags

[WordPress Trac]

#51482: wp_kses_post should filter javascript content as well as the <script> tags
---------------------------+-----------------------------
 Reporter:  janmiddelkoop  |      Owner:  (none)
     Type:  enhancement    |     Status:  new
 Priority:  normal         |  Milestone:  Awaiting Review
Component:  Formatting     |    Version:  5.5.1
 Severity:  minor          |   Keywords:
  Focuses:                 |
---------------------------+-----------------------------
 Like the title says, wp_kses_post filters javascript <script> and
 </script> tags, but not the actual javascript itself.  If you sanitize
 some content using wp_kses_post that contains <script> tags, the
 javascript becomes readable in the browser, you actually end up with very
 unexpected output.

 A real world example where this is rather annoying, is the default
 Storefront theme for WooCommerce which uses wp_kses_post for sanitizing
 content for a sticky product header.  If that content contains javascript,
 the sticky is filled with the script content instead of readable content.

 While not required from a security standpoint, I would expect it to be
 more sane for these functions to actually strip the javascript rather than
 make it visible.

 Example:
 $str = "hello <script>myvar = 'foobar';</script> world!";
 wp_kses_post($str);

 Outputs:
 hello myvar = 'foobar'; world!

 Expected output:
 hello world!

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/51482>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform