Script Loader: Escape HTML5 boolean attribute names.

peterwilsoncc · peterwilsoncc · commit 96cfff96bee9 · 2021-04-06T03:40:38.000Z
Add escaping of boolean attribute names in `wp_sanitize_script_attributes()` for themes supporting HTML5 script elements. Props tmatsuur, johnbillion, joyously. Merges [50575] to the 5.7 branch. Fixes #52894. git-svn-id: https://develop.svn.wordpress.org/branches/5.7@50661 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
@@ -2353,7 +2353,7 @@ function wp_sanitize_script_attributes( $attributes ) {
 	foreach ( $attributes as $attribute_name => $attribute_value ) {
 		if ( is_bool( $attribute_value ) ) {
 			if ( $attribute_value ) {
-				$attributes_string .= $html5_script_support ? sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_name ) ) : ' ' . $attribute_name;
+				$attributes_string .= $html5_script_support ? sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_name ) ) : ' ' . esc_attr( $attribute_name );
 			}
 		} else {
 			$attributes_string .= sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_value ) );

Original file line number	Diff line number	Diff line change
`@@ -2353,7 +2353,7 @@ function wp_sanitize_script_attributes( $attributes ) {`
`2353`	`2353`	`foreach ( $attributes as $attribute_name => $attribute_value ) {`
`2354`	`2354`	`if ( is_bool( $attribute_value ) ) {`
`2355`	`2355`	`if ( $attribute_value ) {`
`2356`		`- $attributes_string .= $html5_script_support ? sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_name ) ) : ' ' . $attribute_name;`
	`2356`	`+ $attributes_string .= $html5_script_support ? sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_name ) ) : ' ' . esc_attr( $attribute_name );`
`2357`	`2357`	`}`
`2358`	`2358`	`} else {`
`2359`	`2359`	`$attributes_string .= sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_value ) );`