[wp-trac] [WordPress Trac] #54893: wp_set_script_translations() accepts and evaluates <script> tag included in JSON
WordPress Trac
noreply at wordpress.org
Mon Jan 24 16:23:30 UTC 2022
#54893: wp_set_script_translations() accepts and evaluates <script> tag included in
JSON
------------------------------+------------------------------
Reporter: Takahashi_Fumiki | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: needs-patch | Focuses: javascript
------------------------------+------------------------------
Comment (by swissspidy):
Some technical background about why this is happening:
As explained above in detail, the issue is the appearance of </script>
within a string that's output in an inline script.
Browsers will immediately close the script tag at that point, as the
screenshots indicate. That's why WordPress often does things like
`[...]some inline javascript[...]</scr' + 'ipt>'` (see for example
`wp_get_script_polyfill()`).
https://mathiasbynens.be/notes/etago explains this quite well in detail.
Note also this info in the HTML spec:
https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-
contents-of-script-elements
> The easiest and safest way to avoid the rather strange restrictions
described in this section is to always escape an ASCII case-insensitive
match for `"<!--"` as `"<\!--"`, `"<script"` as `"<\script"`, and
`"</script"` as `"<\/script"` when these sequences appear in literals in
scripts (e.g. in strings, regular expressions, or comments), and to avoid
writing code that uses such constructs in expressions.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54893#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list