Changeset 61418 for trunk/src/wp-includes/script-loader.php

Timestamp:

12/30/2025 01:01:11 PM (3 months ago)

Author:

jonsurrell

Message:

Use the HTML API to generate style tags.

The HTML API escapes <style> tag contents to ensure the correct HTML structure. Common HTML escaping is unsuitable for <style> tags because they contain "raw text." The additional safety allows other restrictions, such as rejecting content with <>, to be relaxed or removed because the resulting tag will be well-formed.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/10656.

Props jonsurrell, westonruter, dmsnell, ramonopoly, soyebsalar01, drw158, sabernhardt.
See #64418.

File:

• trunk/src/wp-includes/script-loader.php (modified) (2 diffs)

trunk/src/wp-includes/script-loader.php

@@ -2414 +2414 @@
 
         if ( ! empty( $wp_styles->print_code ) ) {
-            echo "<style>\n";
-            echo $wp_styles->print_code;
-            echo sprintf( "\n/*# sourceURL=%s */", rawurlencode( $concat_source_url ) );
-            echo "\n</style>\n";
+            $processor = new WP_HTML_Tag_Processor( '<style></style>' );
+            $processor->next_tag();
+            $style_tag_contents = "\n{$wp_styles->print_code}\n"
+                . sprintf( "/*# sourceURL=%s */\n", rawurlencode( $concat_source_url ) );
+            $processor->set_modifiable_text( $style_tag_contents );
+            echo "{$processor->get_updated_html()}\n";
         }
     }
@@ -3172 +3174 @@
         $action_hook_name,
         static function () use ( $style ) {
-            echo "<style>$style</style>\n";
+            $processor = new WP_HTML_Tag_Processor( '<style></style>' );
+            $processor->next_tag();
+            $processor->set_modifiable_text( $style );
+            echo "{$processor->get_updated_html()}\n";
         },
         $priority