[wp-trac] [WordPress Trac] #51159: Let's expand our context specific escaping methods for wp_json_encode().
WordPress Trac
noreply at wordpress.org
Tue Jan 13 13:11:40 UTC 2026
#51159: Let's expand our context specific escaping methods for wp_json_encode().
-------------------------+-------------------------------------------------
Reporter: whyisjake | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses: javascript, template, coding-
| standards
-------------------------+-------------------------------------------------
Comment (by jonsurrell):
In [changeset:"61477" 61477]:
{{{
#!CommitTicketReference repository="" revision="61477"
HTML API: Escape script tag contents automatically.
When setting JavaScript or JSON script tag content, automatically escape
sequences like `<script>` and `</script>`. This renders the content safe
for HTML. The semantics of any JSON and virtually any JavaScript are
preserved.
Script type detection follows the HTML standard for identifying JavaScript
and JSON script tags. Other script types continue to reject potentially
dangerous content.
Developed in https://github.com/WordPress/wordpress-develop/pull/10635.
Props jonsurrell, dmsnell, westonruter.
Fixes #64419. See #63851, #51159.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51159#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list