[wp-trac] [WordPress Trac] #52894: The wp_sanitize_script_attributes function added in version 5.7 does not escape attributes in some cases.

[WordPress Trac]

#52894: The wp_sanitize_script_attributes function added in version 5.7 does not
escape attributes in some cases.
---------------------------+-----------------------------
 Reporter:  tmatsuur       |      Owner:  (none)
     Type:  defect (bug)   |     Status:  new
 Priority:  normal         |  Milestone:  Awaiting Review
Component:  Script Loader  |    Version:  5.7
 Severity:  critical       |   Keywords:
  Focuses:                 |
---------------------------+-----------------------------
 The wp_sanitize_script_attributes function added in version 5.7 is not
 escaped if the array value is true.

 Steps To Reproduce:

 1.Add the following code to your theme's functions.php.

 {{{
 echo wp_get_script_tag( ['>console.log("hello")</script><script' => true ]
 );
 }}}

 2.Display the admin page.

 3.The following script tag is output and executed.

 {{{
 <script >console.log("hello")</script><script></script>
 }}}

 Problematic source code:

 line 2356 in the wp-includes/script-loader.php file.

 {{{
 $attributes_string .= $html5_script_support ? sprintf( ' %1$s="%2$s"',
 esc_attr( $attribute_name ), esc_attr( $attribute_name ) ) : ' ' .
 $attribute_name;
 }}}

 I think I need to escape as follows:

 {{{
 $attributes_string .= $html5_script_support ? sprintf( ' %1$s="%2$s"',
 esc_attr( $attribute_name ), esc_attr( $attribute_name ) ) : ' ' .
 esc_attr( $attribute_name );
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52894>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform