[wp-trac] [WordPress Trac] #26111: wp_localize_script array from callback for performance

WordPress Trac noreply at wordpress.org
Sun Apr 12 21:33:11 UTC 2015


#26111: wp_localize_script array from callback for performance
------------------------------------+-----------------------------
 Reporter:  ciantic                 |       Owner:  wonderboymusic
     Type:  enhancement             |      Status:  reopened
 Priority:  high                    |   Milestone:  4.2
Component:  Script Loader           |     Version:  2.6
 Severity:  normal                  |  Resolution:
 Keywords:  has-patch dev-feedback  |     Focuses:  performance
------------------------------------+-----------------------------

Comment (by jdgrimes):

 Replying to [comment:20 jdgrimes]:
 >arrays might not be 100% immune to this
 I say this because someone might happen to pass an array that like `array(
 'Some_Class', 'some_static_method' )`. Though of course that is far less
 likely.

 But we might also want to consider the case where someone might be doing
 something like this: `wp_localize_script( 'my_script', 'my_js_ob',
 $_GET['something'] )`. This might have been safe before. Now it would mean
 arbitrary function execution (unless we limit this to only closures).

--
Ticket URL: <https://core.trac.wordpress.org/ticket/26111#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list