From db9c95a056175676c9315b0d6b893661e10d6eb0 Mon Sep 17 00:00:00 2001
From: Peter Wilson <peterwilsoncc@git.wordpress.org>
Date: Tue, 23 Feb 2021 01:58:21 +0000
Subject: [PATCH] Security: move Content-Security-Policy script loaders.

Move `wp_get_script_tag()`, `wp_print_script_tag()`, `wp_print_inline_script_tag()` and `wp_get_inline_script_tag()` functions from `functions.php` to `script-loader.php`.

Relocate related tests to `dependencies` sub-directory.

Follow up to [50167].
Props adamsilverstein, hellofromTonya, SergeyBiryukov.
Fixes #39941.


git-svn-id: https://develop.svn.wordpress.org/trunk@50409 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/functions.php                 | 120 ------------------
 src/wp-includes/script-loader.php             | 120 ++++++++++++++++++
 .../wpInlineScriptTag.php                     |   5 +-
 .../wpSanitizeScriptAttributes.php            |   4 +-
 .../wpScriptTag.php                           |   9 +-
 5 files changed, 135 insertions(+), 123 deletions(-)
 rename tests/phpunit/tests/{functions => dependencies}/wpInlineScriptTag.php (95%)
 rename tests/phpunit/tests/{functions => dependencies}/wpSanitizeScriptAttributes.php (97%)
 rename tests/phpunit/tests/{functions => dependencies}/wpScriptTag.php (94%)

diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
index 56f50ce2de..5935f781fb 100644
--- a/src/wp-includes/functions.php
+++ b/src/wp-includes/functions.php
@@ -7866,123 +7866,3 @@ function is_php_version_compatible( $required ) {
 function wp_fuzzy_number_match( $expected, $actual, $precision = 1 ) {
 	return abs( (float) $expected - (float) $actual ) <= $precision;
 }
-
-/**
- * Sanitizes an attributes array into an attributes string to be placed inside a `<script>` tag.
- *
- * Automatically injects type attribute if needed.
- * Used by {@see wp_get_script_tag()} and {@see wp_get_inline_script_tag()}.
- *
- * @since 5.7.0
- *
- * @param array $attributes Key-value pairs representing `<script>` tag attributes.
- * @return string String made of sanitized `<script>` tag attributes.
- */
-function wp_sanitize_script_attributes( $attributes ) {
-	$html5_script_support = ! is_admin() && ! current_theme_supports( 'html5', 'script' );
-	$attributes_string    = '';
-
-	// If HTML5 script tag is supported, only the attribute name is added
-	// to $attributes_string for entries with a boolean value, and that are true.
-	foreach ( $attributes as $attribute_name => $attribute_value ) {
-		if ( is_bool( $attribute_value ) ) {
-			if ( $attribute_value ) {
-				$attributes_string .= $html5_script_support ? sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_name ) ) : ' ' . $attribute_name;
-			}
-		} else {
-			$attributes_string .= sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_value ) );
-		}
-	}
-
-	return $attributes_string;
-}
-
-/**
- * Formats `<script>` loader tags.
- *
- * It is possible to inject attributes in the `<script>` tag via the {@see 'wp_script_attributes'} filter.
- * Automatically injects type attribute if needed.
- *
- * @since 5.7.0
- *
- * @param array $attributes Key-value pairs representing `<script>` tag attributes.
- * @return string String containing `<script>` opening and closing tags.
- */
-function wp_get_script_tag( $attributes ) {
-	if ( ! isset( $attributes['type'] ) && ! is_admin() && ! current_theme_supports( 'html5', 'script' ) ) {
-		$attributes['type'] = 'text/javascript';
-	}
-	/**
-	 * Filters attributes to be added to a script tag.
-	 *
-	 * @since 5.7.0
-	 *
-	 * @param array $attributes Key-value pairs representing `<script>` tag attributes.
-	 *                          Only the attribute name is added to the `<script>` tag for
-	 *                          entries with a boolean value, and that are true.
-	 */
-	$attributes = apply_filters( 'wp_script_attributes', $attributes );
-
-	return sprintf( "<script%s></script>\n", wp_sanitize_script_attributes( $attributes ) );
-}
-
-/**
- * Prints formatted `<script>` loader tag.
- *
- * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
- * Automatically injects type attribute if needed.
- *
- * @since 5.7.0
- *
- * @param array $attributes Key-value pairs representing `<script>` tag attributes.
- */
-function wp_print_script_tag( $attributes ) {
-	echo wp_get_script_tag( $attributes );
-}
-
-/**
- * Wraps inline JavaScript in `<script>` tag.
- *
- * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
- * Automatically injects type attribute if needed.
- *
- * @since 5.7.0
- *
- * @param string $javascript Inline JavaScript code.
- * @param array  $attributes  Optional. Key-value pairs representing `<script>` tag attributes.
- * @return string String containing inline JavaScript code wrapped around `<script>` tag.
- */
-function wp_get_inline_script_tag( $javascript, $attributes = array() ) {
-	if ( ! isset( $attributes['type'] ) && ! is_admin() && ! current_theme_supports( 'html5', 'script' ) ) {
-		$attributes['type'] = 'text/javascript';
-	}
-	/**
-	 * Filters attributes to be added to a script tag.
-	 *
-	 * @since 5.7.0
-	 *
-	 * @param array $attributes Key-value pairs representing `<script>` tag attributes.
-	 *                          Only the attribute name is added to the `<script>` tag for
-	 *                          entries with a boolean value, and that are true.
-	 */
-	$attributes = apply_filters( 'wp_inline_script_attributes', $attributes, $javascript );
-
-	$javascript = "\n" . trim( $javascript, "\n\r " ) . "\n";
-
-	return sprintf( "<script%s>%s</script>\n", wp_sanitize_script_attributes( $attributes ), $javascript );
-}
-
-/**
- * Prints inline JavaScript wrapped in `<script>` tag.
- *
- * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
- * Automatically injects type attribute if needed.
- *
- * @since 5.7.0
- *
- * @param string $javascript Inline JavaScript code.
- * @param array  $attributes Optional. Key-value pairs representing `<script>` tag attributes.
- */
-function wp_print_inline_script_tag( $javascript, $attributes = array() ) {
-	echo wp_get_inline_script_tag( $javascript, $attributes );
-}
diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
index 5df55e831d..c47a54429c 100644
--- a/src/wp-includes/script-loader.php
+++ b/src/wp-includes/script-loader.php
@@ -2332,3 +2332,123 @@ function wp_enqueue_editor_block_directory_assets() {
 	wp_enqueue_script( 'wp-block-directory' );
 	wp_enqueue_style( 'wp-block-directory' );
 }
+
+/**
+ * Sanitizes an attributes array into an attributes string to be placed inside a `<script>` tag.
+ *
+ * Automatically injects type attribute if needed.
+ * Used by {@see wp_get_script_tag()} and {@see wp_get_inline_script_tag()}.
+ *
+ * @since 5.7.0
+ *
+ * @param array $attributes Key-value pairs representing `<script>` tag attributes.
+ * @return string String made of sanitized `<script>` tag attributes.
+ */
+function wp_sanitize_script_attributes( $attributes ) {
+	$html5_script_support = ! is_admin() && ! current_theme_supports( 'html5', 'script' );
+	$attributes_string    = '';
+
+	// If HTML5 script tag is supported, only the attribute name is added
+	// to $attributes_string for entries with a boolean value, and that are true.
+	foreach ( $attributes as $attribute_name => $attribute_value ) {
+		if ( is_bool( $attribute_value ) ) {
+			if ( $attribute_value ) {
+				$attributes_string .= $html5_script_support ? sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_name ) ) : ' ' . $attribute_name;
+			}
+		} else {
+			$attributes_string .= sprintf( ' %1$s="%2$s"', esc_attr( $attribute_name ), esc_attr( $attribute_value ) );
+		}
+	}
+
+	return $attributes_string;
+}
+
+/**
+ * Formats `<script>` loader tags.
+ *
+ * It is possible to inject attributes in the `<script>` tag via the {@see 'wp_script_attributes'} filter.
+ * Automatically injects type attribute if needed.
+ *
+ * @since 5.7.0
+ *
+ * @param array $attributes Key-value pairs representing `<script>` tag attributes.
+ * @return string String containing `<script>` opening and closing tags.
+ */
+function wp_get_script_tag( $attributes ) {
+	if ( ! isset( $attributes['type'] ) && ! is_admin() && ! current_theme_supports( 'html5', 'script' ) ) {
+		$attributes['type'] = 'text/javascript';
+	}
+	/**
+	 * Filters attributes to be added to a script tag.
+	 *
+	 * @since 5.7.0
+	 *
+	 * @param array $attributes Key-value pairs representing `<script>` tag attributes.
+	 *                          Only the attribute name is added to the `<script>` tag for
+	 *                          entries with a boolean value, and that are true.
+	 */
+	$attributes = apply_filters( 'wp_script_attributes', $attributes );
+
+	return sprintf( "<script%s></script>\n", wp_sanitize_script_attributes( $attributes ) );
+}
+
+/**
+ * Prints formatted `<script>` loader tag.
+ *
+ * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
+ * Automatically injects type attribute if needed.
+ *
+ * @since 5.7.0
+ *
+ * @param array $attributes Key-value pairs representing `<script>` tag attributes.
+ */
+function wp_print_script_tag( $attributes ) {
+	echo wp_get_script_tag( $attributes );
+}
+
+/**
+ * Wraps inline JavaScript in `<script>` tag.
+ *
+ * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
+ * Automatically injects type attribute if needed.
+ *
+ * @since 5.7.0
+ *
+ * @param string $javascript Inline JavaScript code.
+ * @param array  $attributes  Optional. Key-value pairs representing `<script>` tag attributes.
+ * @return string String containing inline JavaScript code wrapped around `<script>` tag.
+ */
+function wp_get_inline_script_tag( $javascript, $attributes = array() ) {
+	if ( ! isset( $attributes['type'] ) && ! is_admin() && ! current_theme_supports( 'html5', 'script' ) ) {
+		$attributes['type'] = 'text/javascript';
+	}
+	/**
+	 * Filters attributes to be added to a script tag.
+	 *
+	 * @since 5.7.0
+	 *
+	 * @param array $attributes Key-value pairs representing `<script>` tag attributes.
+	 *                          Only the attribute name is added to the `<script>` tag for
+	 *                          entries with a boolean value, and that are true.
+	 */
+	$attributes = apply_filters( 'wp_inline_script_attributes', $attributes, $javascript );
+
+	$javascript = "\n" . trim( $javascript, "\n\r " ) . "\n";
+
+	return sprintf( "<script%s>%s</script>\n", wp_sanitize_script_attributes( $attributes ), $javascript );
+}
+
+/**
+ * Prints inline JavaScript wrapped in `<script>` tag.
+ *
+ * It is possible to inject attributes in the `<script>` tag via the  {@see 'wp_script_attributes'}  filter.
+ * Automatically injects type attribute if needed.
+ *
+ * @since 5.7.0
+ *
+ * @param string $javascript Inline JavaScript code.
+ * @param array  $attributes Optional. Key-value pairs representing `<script>` tag attributes.
+ */
+function wp_print_inline_script_tag( $javascript, $attributes = array() ) {
+	echo wp_get_inline_script_tag( $javascript, $attributes );
+}
diff --git a/tests/phpunit/tests/functions/wpInlineScriptTag.php b/tests/phpunit/tests/dependencies/wpInlineScriptTag.php
similarity index 95%
rename from tests/phpunit/tests/functions/wpInlineScriptTag.php
rename to tests/phpunit/tests/dependencies/wpInlineScriptTag.php
index a6dcc83e2c..d2c2185d48 100644
--- a/tests/phpunit/tests/functions/wpInlineScriptTag.php
+++ b/tests/phpunit/tests/dependencies/wpInlineScriptTag.php
@@ -3,7 +3,10 @@
 /**
  * Test wp_get_inline_script_tag() and wp_print_inline_script_tag().
  *
- * @group functions.php
+ * @group dependencies
+ * @group scripts
+ * @covers ::wp_get_inline_script_tag
+ * @covers ::wp_print_inline_script_tag
  */
 class Tests_Functions_wpInlineScriptTag extends WP_UnitTestCase {
 
diff --git a/tests/phpunit/tests/functions/wpSanitizeScriptAttributes.php b/tests/phpunit/tests/dependencies/wpSanitizeScriptAttributes.php
similarity index 97%
rename from tests/phpunit/tests/functions/wpSanitizeScriptAttributes.php
rename to tests/phpunit/tests/dependencies/wpSanitizeScriptAttributes.php
index dd060ebd5d..47432d35e3 100644
--- a/tests/phpunit/tests/functions/wpSanitizeScriptAttributes.php
+++ b/tests/phpunit/tests/dependencies/wpSanitizeScriptAttributes.php
@@ -3,7 +3,9 @@
 /**
  * Test wp_sanitize_script_attributes().
  *
- * @group functions.php
+ * @group dependencies
+ * @group scripts
+ * @covers ::wp_sanitize_script_attributes
  */
 class Tests_Functions_wpSanitizeScriptAttributes extends WP_UnitTestCase {
 
diff --git a/tests/phpunit/tests/functions/wpScriptTag.php b/tests/phpunit/tests/dependencies/wpScriptTag.php
similarity index 94%
rename from tests/phpunit/tests/functions/wpScriptTag.php
rename to tests/phpunit/tests/dependencies/wpScriptTag.php
index 3c451f5359..ba80c8cabf 100644
--- a/tests/phpunit/tests/functions/wpScriptTag.php
+++ b/tests/phpunit/tests/dependencies/wpScriptTag.php
@@ -3,7 +3,8 @@
 /**
  * Test wp_get_script_tag() and wp_print_script_tag().
  *
- * @group functions.php
+ * @group dependencies
+ * @group scripts
  */
 class Tests_Functions_wpScriptTag extends WP_UnitTestCase {
 
@@ -37,6 +38,9 @@ class Tests_Functions_wpScriptTag extends WP_UnitTestCase {
 		);
 	}
 
+	/**
+	 * @covers ::wp_get_script_tag
+	 */
 	function test_get_script_tag_type_not_set() {
 		add_theme_support( 'html5', array( 'script' ) );
 
@@ -54,6 +58,9 @@ class Tests_Functions_wpScriptTag extends WP_UnitTestCase {
 		remove_theme_support( 'html5' );
 	}
 
+	/**
+	 * @covers ::wp_print_script_tag
+	 */
 	function test_print_script_tag_prints_get_script_tag() {
 		add_filter(
 			'wp_script_attributes',