search

rtCamp / wordpress-preview-revisions

WordPress Preview Revisions Plugin help editors to preview the revisions with exact same content that would look like on the frontend.
Other
9 stars 1 forks source link

Use `wp_json_encode()` to safely render text inside `script` tag #1

Closed westonruter closed 1 year ago

westonruter commented 1 year ago

Given this existing code:

button.innerText = '<?php esc_html_e( 'Preview', 'preview-revisions' ); ?>';

It could be that a translation string incorporates an apostrophe, either because the language uses apostrophes:

image

Which would result in a syntax error here:

button.innerText = 'mua'i va'aiga';
// --------------------^

Or it could be that someone is maliciously adding apostrophes to attempt a translation string injection attack.

This is addressed by using wp_json_encode() when rendering text inside of script tag.

Issue - #2

hbhalodia commented 1 year ago

Thanks, @westonruter, for the patch. Seems good to me. I would create an issue for this, and then we can safely merge this.

hbhalodia commented 1 year ago

This is tested successfully, hence merging and closing the issue mentioned.