Skip to content

Ensure proper JSON encoding to wp_json_encode() #525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 23, 2025
Merged

Ensure proper JSON encoding to wp_json_encode() #525

merged 1 commit into from
Oct 23, 2025

Conversation

@lysyjan
Copy link
Contributor

@lysyjan lysyjan commented Oct 16, 2025

Changes proposed in this Pull Request:

This PR adds the required JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags to all wp_json_encode() calls that output data into inline scripts, following WordPress security best practices.

Background

When outputting JSON data into <script> tags using wp_json_encode(), the default flags are insufficient to prevent potential XSS vulnerabilities. Sequences like </script> or <!--<script> can break out of the script context or cause unexpected
HTML parsing behavior due to the "script data double escaped state."

Changes Made

Updated includes/class-wc-google-gtag-js.php to use proper flags in all wp_json_encode() calls:

  1. Line 105: Added flags to consent modes encoding
  2. Line 106: Added flags to site tag config encoding
  3. Line 165: Added flags to settings array encoding
  4. Line 250: Added flags to script data encoding in get_script_data() method

These flags ensure:

  • JSON_HEX_TAG: Converts < and > to \u003C and \u003E, preventing script tag injection
  • JSON_UNESCAPED_SLASHES: Keeps forward slashes unescaped for better readability while maintaining security

Checks:

  • Does your code follow the WordPress coding standards?
  • Have you written new tests for your changes, as applicable?
  • Have you successfully run tests with your changes locally?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?

Detailed test instructions:

  1. Install and activate the plugin on a test site
  2. Navigate to a product page and view the page source
  3. Locate the inline <script> tags containing GA4 configuration data
  4. Verify that the JSON data is properly encoded (e.g., < appears as \u003C)
  5. Test all GA4 tracking events (view_item, add_to_cart, purchase, etc.) to ensure they still work correctly
  6. Check browser console for any JavaScript errors
  7. Verify tracking data appears correctly in Google Analytics

Additional details:

This change is purely defensive and should not alter any functionality. The encoded JSON will decode to the same values in JavaScript, but will be safer against edge cases involving malicious product names or other user-generated content that might
contain script tags.

Changelog entry

Fix - Add safe script tag encoding flags to all wp_json_encode() calls in inline scripts

@lysyjan lysyjan requested a review from eason9487 October 16, 2025 14:27
eason9487
eason9487 approved these changes Oct 20, 2025
View reviewed changes
Copy link
Member

@eason9487 eason9487 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the work! LGTM.

@eason9487 eason9487 assigned lysyjan and unassigned eason9487 Oct 20, 2025
@NeosinneR NeosinneR merged commit f64ca03 into trunk Oct 23, 2025
7 checks passed
@NeosinneR NeosinneR deleted the stomail-7577-add-save-script-tags-to-wp_json_encode-usage branch October 23, 2025 14:26
@eason9487 eason9487 added the changelog: fix Took care of something that wasn't working. label Oct 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eason9487 eason9487 eason9487 approved these changes

Assignees

@lysyjan lysyjan

Labels

changelog: fix Took care of something that wasn't working.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lysyjan @eason9487 @NeosinneR