Use New Script Functions Instead of Directly Outputting Script Tags

[eric-michel]

Is your feature request related to a problem? Please describe.

As of WP 5.7, new functions are available to add attributes to script tags. This makes it possible to, for instance, add a nonce to tags for CSP compliance. Yoast SEO does not currently take advantage of the script tag output functions that allow for this functionality.

Describe the solution you'd like

See https://make.wordpress.org/core/2021/02/23/introducing-script-attributes-related-functions-in-wordpress-5-7/.

In places like schema-presenter.php:

return '<script type="application/ld+json" class="yoast-schema-graph">' . $output . '</script>';

should be refactored to use wp_get_inline_script_tag() to generate the <script> wrapper so that attributes can be added to the tag via the wp_inline_script_attributes filter.

Why do you think this feature is something we should consider for the Yoast SEO plugins?

This is WP's first solid effort at supporting CSP, which will allow for greater security against XSS attacks. Yoast is an incredibly popular plugin, and needs to support this feature ASAP so that more sites can reliably adopt CSP without use of the unsafe-inline keyword, which eliminates much of the benefit of CSP.

[Djennez]

@jonoalderson @herregroen fyi

[jonoalderson]

Yeah, I think this is a good plan. Whilst we know that the contents of that script tag aren't conventional JavaScript (it'll always be JSON-LD), we should definitely enqueue this 'properly' so that it can be filtered/modified/moved etc.