[wp-trac] [WordPress Trac] #51159: Let's expand our context specific escaping methods for wp_json_encode().
WordPress Trac
noreply at wordpress.org
Thu Jan 15 11:12:05 UTC 2026
#51159: Let's expand our context specific escaping methods for wp_json_encode().
-------------------------+-------------------------------------------------
Reporter: whyisjake | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses: javascript, template, coding-
| standards
-------------------------+-------------------------------------------------
Comment (by jonsurrell):
In [changeset:"61485" 61485]:
{{{
#!CommitTicketReference repository="" revision="61485"
Script Loader: Use HTML API to generate SCRIPT tags.
Script tags have complicated and unintuitive parsing rules that make them
difficult to author correctly. The HTML API automatically escapes script
tag contents as necessary and will set attributes correctly. Using the
HTML API to generate SCRIPT tags improves safety when working with SCRIPT
tags, resolving a class of issues that have manifested repeatedly.
Changeset [61418] applied the HTML API to generate style tags in a similar
way.
Developed in https://github.com/WordPress/wordpress-develop/pull/10639.
Props jonsurrell, dmsnell, westonruter.
Fixes #64500. See #64419, #40737, #62797, #63851, #51159.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51159#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list