[wp-trac] [WordPress Trac] #62797: wp_add_inline_script does not properly escape '<!-- <script>' in contents
WordPress Trac
noreply at wordpress.org
Thu Jan 15 11:12:05 UTC 2026
#62797: wp_add_inline_script does not properly escape '<!-- <script>' in contents
-------------------------------------------------+-------------------------
Reporter: artpi | Owner: jonsurrell
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 6.9
Component: Editor | Version: 5.0
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests dev- | Focuses:
feedback | administration
-------------------------------------------------+-------------------------
Comment (by jonsurrell):
In [changeset:"61485" 61485]:
{{{
#!CommitTicketReference repository="" revision="61485"
Script Loader: Use HTML API to generate SCRIPT tags.
Script tags have complicated and unintuitive parsing rules that make them
difficult to author correctly. The HTML API automatically escapes script
tag contents as necessary and will set attributes correctly. Using the
HTML API to generate SCRIPT tags improves safety when working with SCRIPT
tags, resolving a class of issues that have manifested repeatedly.
Changeset [61418] applied the HTML API to generate style tags in a similar
way.
Developed in https://github.com/WordPress/wordpress-develop/pull/10639.
Props jonsurrell, dmsnell, westonruter.
Fixes #64500. See #64419, #40737, #62797, #63851, #51159.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62797#comment:28>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list