Skip to content

Scripts: Use HTML API to build SCRIPT tags #10639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sirreal wants to merge 121 commits into from
Closed

Scripts: Use HTML API to build SCRIPT tags #10639

sirreal wants to merge 121 commits into from
+95 −4

Conversation

@sirreal
Copy link
Member

@sirreal sirreal commented Dec 16, 2025
edited
Loading

The HTML API can produce SCRIPT tags that are safe, or reject the script tags if no safe tag can be produced.

SCRIPT tags have complicated and unintuitive parsing rules that make them difficult to author correctly. Currently, authors need to provide safe JavaScript and/or correctly escaped JSON in order to produce safe HTML SCRIPT tags.

[61447] added the ability to automatically escape JSON and JavaScript content when problematic strings are discovered, making the HTML API especially well-suited to producing script tags.

This is similar to change [61418] where the HTML API is used to generate style tags.

This is well documented by issues like #40737, #62797, #63851, and #51159.

This is a follow up to #64419.

Includes #10635 (merged in r61477).

Trac ticket: https://core.trac.wordpress.org/ticket/64500

This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.

sirreal
sirreal commented Dec 16, 2025
View reviewed changes
@github-actions
Copy link

github-actions bot commented Dec 16, 2025

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • The Plugin and Theme Directories cannot be accessed within Playground.
  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

This was referenced Dec 16, 2025
Draft
Closed
dmsnell
dmsnell reviewed Dec 17, 2025
View reviewed changes
@sirreal sirreal mentioned this pull request Dec 19, 2025
Merged
@sirreal
Copy link
Member Author

sirreal commented Jan 13, 2026

I'd like to land #10728 first so it's clear that the attribute handling is unchanged from trunk in this change.

dmsnell
dmsnell reviewed Jan 13, 2026
View reviewed changes
dmsnell
dmsnell reviewed Jan 13, 2026
View reviewed changes
dmsnell
dmsnell approved these changes Jan 13, 2026
View reviewed changes
Copy link
Member

@dmsnell dmsnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great end to a long journey. I’m glad to see it come in and I think it will have a major uplift in the reliability of scripts, especially when viewed in the progression of module support, SCRIPT escaping, attribute recognition, etc…

Thanks for another intentional step forward with WordPress’s SCRIPT story.

westonruter
westonruter reviewed Jan 13, 2026
View reviewed changes
westonruter
westonruter requested changes Jan 13, 2026
View reviewed changes
Copy link
Member

@westonruter westonruter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments.

sirreal
sirreal commented Jan 14, 2026
View reviewed changes
Copilot AI reviewed Jan 14, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors wp_get_script_tag() and wp_get_inline_script_tag() to use the HTML API (WP_HTML_Tag_Processor) instead of string concatenation, providing automatic escaping of dangerous JavaScript/JSON content and safer SCRIPT tag generation.

Changes:

  • Replaced string-based tag generation with WP_HTML_Tag_Processor for safer HTML construction
  • Added error handling in wp_get_inline_script_tag() to return empty string when content cannot be safely embedded
  • Added test case for dangerous unescapeable script content

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/wp-includes/script-loader.php Refactored wp_get_script_tag() and wp_get_inline_script_tag() to use HTML API with duplicate attribute handling and safe content embedding
tests/phpunit/tests/dependencies/wpInlineScriptTag.php Added test for failure case when script content cannot be safely escaped
Comments suppressed due to low confidence (1)

src/wp-includes/script-loader.php:1

  • The documentation states 'an empty script tag with the provided attributes will be returned' but the implementation actually returns an empty string '' (line 2996). The documentation should be corrected to say 'an empty string will be returned' to match the actual behavior.
<?php

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sirreal
Apply return type description suggestion
faf77e3 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
westonruter
westonruter approved these changes Jan 14, 2026
View reviewed changes
Copy link
Member

@westonruter westonruter left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple nits, but re-approving

sirreal and others added 2 commits January 14, 2026 21:50
pento pushed a commit that referenced this pull request Jan 15, 2026
@sirreal
Script Loader: Use HTML API to generate SCRIPT tags.
37bee55 
Script tags have complicated and unintuitive parsing rules that make them difficult to author correctly. The HTML API automatically escapes script tag contents as necessary and will set attributes correctly. Using the HTML API to generate SCRIPT tags improves safety when working with SCRIPT tags, resolving a class of issues that have manifested repeatedly.

Changeset [61418] applied the HTML API to generate style tags in a similar way.

Developed in #10639.

Props jonsurrell, dmsnell, westonruter.
Fixes #64500. See #64419, #40737, #62797, #63851, #51159.


git-svn-id: https://develop.svn.wordpress.org/trunk@61485 602fd350-edb4-49c9-b593-d223f7449a82
@github-actions
Copy link

github-actions bot commented Jan 15, 2026

A commit was made that fixes the Trac ticket referenced in the description of this pull request.

SVN changeset: 61485
GitHub commit: 37bee55

This PR will be closed, but please confirm the accuracy of this and reopen if there is more work to be done.

@github-actions github-actions bot closed this Jan 15, 2026
markjaquith pushed a commit to markjaquith/WordPress that referenced this pull request Jan 15, 2026
@sirreal
Script Loader: Use HTML API to generate SCRIPT tags.
0f1223c 
Script tags have complicated and unintuitive parsing rules that make them difficult to author correctly. The HTML API automatically escapes script tag contents as necessary and will set attributes correctly. Using the HTML API to generate SCRIPT tags improves safety when working with SCRIPT tags, resolving a class of issues that have manifested repeatedly.

Changeset [61418] applied the HTML API to generate style tags in a similar way.

Developed in WordPress/wordpress-develop#10639.

Props jonsurrell, dmsnell, westonruter.
Fixes #64500. See #64419, #40737, #62797, #63851, #51159.

Built from https://develop.svn.wordpress.org/trunk@61485


git-svn-id: http://core.svn.wordpress.org/trunk@60797 1a063a9b-81f0-0310-95a4-ce76da25c4cd
github-actions bot pushed a commit to platformsh/wordpress-performance that referenced this pull request Jan 15, 2026
@sirreal
Script Loader: Use HTML API to generate SCRIPT tags.
a837d90 
Script tags have complicated and unintuitive parsing rules that make them difficult to author correctly. The HTML API automatically escapes script tag contents as necessary and will set attributes correctly. Using the HTML API to generate SCRIPT tags improves safety when working with SCRIPT tags, resolving a class of issues that have manifested repeatedly.

Changeset [61418] applied the HTML API to generate style tags in a similar way.

Developed in WordPress/wordpress-develop#10639.

Props jonsurrell, dmsnell, westonruter.
Fixes #64500. See #64419, #40737, #62797, #63851, #51159.

Built from https://develop.svn.wordpress.org/trunk@61485


git-svn-id: https://core.svn.wordpress.org/trunk@60797 1a063a9b-81f0-0310-95a4-ce76da25c4cd
@sirreal sirreal deleted the scripts/use-html-api-for-script-tags branch January 15, 2026 11:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmsnell dmsnell dmsnell approved these changes

Copilot code review Copilot Copilot left review comments

@westonruter westonruter westonruter approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sirreal @westonruter @dmsnell