[wp-trac] [WordPress Trac] #51159: Let's expand our context specific escaping methods for wp_json_encode().
WordPress Trac
noreply at wordpress.org
Thu Dec 18 15:08:29 UTC 2025
#51159: Let's expand our context specific escaping methods for wp_json_encode().
-------------------------+-------------------------------------------------
Reporter: whyisjake | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses: javascript, template, coding-
| standards
-------------------------+-------------------------------------------------
Comment (by jonsurrell):
#64419 explores the possibility of escaping JavaScript and JSON script
tags automatically which could help reduce the penalty for escaping things
incorrectly.
Also related is #60229 which proposes HTML templating. This would apply
the appropriate escaping based on the context.
A combination of these two tickets likely resolves the underlying problems
this ticket seeks to address:
- Escaping is context dependent and difficult to do correctly
- Strings of HTML are split up and stitched together without awareness of
whether they're plaintext, escaped, raw…
- Existing escaping functions will not "double escape," making them
unsuitable mechanisms for preserving the semantic value of content.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51159#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list