[wp-trac] [WordPress Trac] #56425: wp_localize_script assign to const and freeze instead of var to avoid reassignments
WordPress Trac
noreply at wordpress.org
Mon Nov 7 21:30:17 UTC 2022
#56425: wp_localize_script assign to const and freeze instead of var to avoid
reassignments
-----------------------------------+------------------------------
Reporter: malthert | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Script Loader | Version:
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion | Focuses: javascript
-----------------------------------+------------------------------
Changes (by kkmuffme):
* keywords: has-patch 2nd-opinion close => has-patch 2nd-opinion
Comment:
@desrosj
>There are some valid scenarios
Could you perhaps give 2-3 examples of those? Because I didn't encounter
any yet (that aren't an inherent XSS risk)
@TimothyBlynJacobs
`wp_add_inline_script` has a much higher XSS risk when not used correctly
compared to `wp_localize_script`, so I'm not sure if it's really advisable
to promote this for very basic text translations which are often used with
unsafe methods (jQuery.html,...)
Especially given that the WP `esc_js` function isn't really safe for JS
output either.
By changing the localized variable to a const (and freezing it), it would
encourage devs to actually move to `wp_add_inline_script` if that is what
is preferred.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56425#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list