[wp-trac] [WordPress Trac] #63806: Bundled themes: Scripts are printed directly without using wp_print_inline_script_tag()

WordPress Trac noreply at wordpress.org
Sun Aug 10 20:37:34 UTC 2025 

#63806: Bundled themes: Scripts are printed directly without using
wp_print_inline_script_tag()
---------------------------+----------------------------------------
 Reporter:  westonruter    |      Owner:  (none)
     Type:  enhancement    |     Status:  new
 Priority:  normal         |  Milestone:  6.9
Component:  Bundled Theme  |    Version:  5.7
 Severity:  normal         |   Keywords:  needs-patch good-first-bug
  Focuses:  javascript     |
---------------------------+----------------------------------------
 Core was updated in #59446 to use the script helper
 functions—`wp_get_script_tag()`, `wp_print_inline_script_tag()`,
 `wp_get_inline_script_tag()`—were leveraged to eliminate manual
 construction of script tags on the frontend and the login screen. These
 were introduced in #39941.

 However, the core themes have not all been updated to use these functions,
 meaning they cannot opt in to a [https://web.dev/articles/strict-csp
 Strict Content Security Policy]. See
 [https://github.com/search?q=repo%3AWordPress%2Fwordpress-
 develop+path%3A%2F%5Esrc%5C%2Fwp-
 content%5C%2Fthemes%5C%2F%2F+%2F%3Cscript%5B%5E%3E%5D*%3E%2F&type=code
 examples].

 Instead of a theme doing something like this:

 {{{#!php
 <?php
 function my_theme_supports_js() {
         echo '<script>document.body.classList.remove("no-js");</script>';
 // ❌ DO NOT DO THIS 👎
 }
 add_action( 'wp_footer', 'my_theme_supports_js' );
 }}}

 It should be updated to do:

 {{{#!php
 <?php
 function my_theme_supports_js() {
         wp_print_inline_script_tag( 'document.body.classList.remove("no-
 js");' ); // ✅ Do this instead 👍
 }
 add_action( 'wp_footer', 'my_theme_supports_js' );
 }}}

 Note that if a bundled theme was introduced for a WordPress version prior
 to 5.7 then it won't have the necessary helper functions available. In
 their case, either they should be skipped or the necessary functions can
 be included as polyfills.

 See also #59446 which tracks this for the WP Admin.

 See the [https://wordpress.org/plugins/strict-csp/ Strict CSP plugin] as a
 way to enforce Strict CSP to help discover if there are scripts being
 manually printed.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63806>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list