diff --git a/src/wp-includes/block-editor.php b/src/wp-includes/block-editor.php index 2bd9f2dfbf050..3c0ccdaa4b587 100644 --- a/src/wp-includes/block-editor.php +++ b/src/wp-includes/block-editor.php @@ -766,7 +766,7 @@ function block_editor_rest_api_preload( array $preload_paths, $block_editor_cont 'wp-api-fetch', sprintf( 'wp.apiFetch.use( wp.apiFetch.createPreloadingMiddleware( %s ) );', - wp_json_encode( $preload_data ) + wp_json_encode( $preload_data, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ), 'after' ); diff --git a/tests/phpunit/tests/blocks/editor.php b/tests/phpunit/tests/blocks/editor.php index 838137fa76f0d..97d18d89529e3 100644 --- a/tests/phpunit/tests/blocks/editor.php +++ b/tests/phpunit/tests/blocks/editor.php @@ -9,7 +9,6 @@ * @group blocks */ class Tests_Blocks_Editor extends WP_UnitTestCase { - /** * Sets up each test method. */ @@ -631,8 +630,8 @@ function filter_add_preload_paths( $preload_paths, WP_Block_Editor_Context $cont $after = implode( '', wp_scripts()->registered['wp-api-fetch']->extra['after'] ); $this->assertStringContainsString( 'wp.apiFetch.createPreloadingMiddleware', $after ); - $this->assertStringContainsString( '"\/wp\/v2\/blocks"', $after ); - $this->assertStringContainsString( '"\/wp\/v2\/types"', $after ); + $this->assertStringContainsString( '"/wp/v2/blocks"', $after ); + $this->assertStringContainsString( '"/wp/v2/types"', $after ); } /** @@ -697,11 +696,11 @@ public function data_block_editor_rest_api_preload_adds_missing_leading_slash() return array( 'a string without a slash' => array( 'preload_paths' => array( 'wp/v2/blocks' ), - 'expected' => '\/wp\/v2\/blocks', + 'expected' => '/wp/v2/blocks', ), 'a string with a slash' => array( 'preload_paths' => array( '/wp/v2/blocks' ), - 'expected' => '\/wp\/v2\/blocks', + 'expected' => '/wp/v2/blocks', ), 'a string starting with a question mark' => array( 'preload_paths' => array( '?context=edit' ), @@ -709,16 +708,63 @@ public function data_block_editor_rest_api_preload_adds_missing_leading_slash() ), 'an array with a string without a slash' => array( 'preload_paths' => array( array( 'wp/v2/blocks', 'OPTIONS' ) ), - 'expected' => '\/wp\/v2\/blocks', + 'expected' => '/wp/v2/blocks', ), 'an array with a string with a slash' => array( 'preload_paths' => array( array( '/wp/v2/blocks', 'OPTIONS' ) ), - 'expected' => '\/wp\/v2\/blocks', + 'expected' => '/wp/v2/blocks', ), 'an array with a string starting with a question mark' => array( 'preload_paths' => array( array( '?context=edit', 'OPTIONS' ) ), - 'expected' => '\/?context=edit', + 'expected' => '/?context=edit', ), ); } + + /** + * @ticket 62797 + * + * @covers ::block_editor_rest_api_preload + * + * Some valid JSON-encoded data is dangerous to embed in HTML without appropriate + * escaping. This test includes an example of data that would prevent the enclosing + * `` tag from closing on its apparent closer and remain open. + */ + public function test_ensure_preload_data_script_tag_closes() { + add_theme_support( 'html5', array( 'script' ) ); + register_rest_route( + 'test/v0', + 'test-62797', + array( + 'methods' => 'GET', + 'callback' => function () { + return 'Unclosed comment and a script open tag