Skip to content

Commit

Permalink
Remove sanitizing JSON scripts in script sanitizer
Browse files Browse the repository at this point in the history
  • Loading branch information
@westonruter
westonruter committed Aug 17, 2021
1 parent c990f41 commit 1210af1
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 17 deletions.
19 changes: 3 additions & 16 deletions includes/sanitizers/class-amp-script-sanitizer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,13 +26,6 @@ class AMP_Script_Sanitizer extends AMP_Base_Sanitizer {
*/
const CUSTOM_INLINE_SCRIPT = 'CUSTOM_INLINE_SCRIPT';

/**
* Error code for custom inline JSON script tag.
*
* @var string
*/
const CUSTOM_JSON_SCRIPT = 'CUSTOM_JSON_SCRIPT';

/**
* Error code for custom external JS script tag.
*
Expand Down Expand Up @@ -68,7 +61,7 @@ class AMP_Script_Sanitizer extends AMP_Base_Sanitizer {
* Array of flags used to control sanitization.
*
* @var array {
* @type bool $sanitize_scripts Whether to sanitize scripts (and not defer for final sanitizer).
* @type bool $sanitize_scripts Whether to sanitize JS scripts (and not defer for final sanitizer).
* @type bool $unwrap_noscripts Whether to unwrap noscript elements.
* }
*/
Expand Down Expand Up @@ -163,7 +156,7 @@ protected function unwrap_noscript_elements() {
* @since 2.2
*/
protected function sanitize_script_elements() {
$scripts = $this->dom->xpath->query( '//script[ not( @type ) or @type != "application/ld+json" ]' );
$scripts = $this->dom->xpath->query( '//script[ not( @type ) or not( contains( @type, "json" ) ) ]' );

/** @var Element $script */
foreach ( $scripts as $script ) {
Expand Down Expand Up @@ -192,15 +185,9 @@ protected function sanitize_script_elements() {
continue;
}

if ( $script->hasAttribute( Attribute::TYPE ) && false !== strpos( $script->getAttribute( Attribute::TYPE ), 'json' ) ) {
$code = self::CUSTOM_JSON_SCRIPT;
} else {
$code = self::CUSTOM_INLINE_SCRIPT;
}

$removed = $this->remove_invalid_child(
$script,
[ 'code' => $code ]
[ 'code' => self::CUSTOM_INLINE_SCRIPT ]
);
if ( ! $removed ) {
$script->setAttribute( DevMode::DEV_MODE_ATTRIBUTE, '' );
Expand Down
4 changes: 3 additions & 1 deletion tests/php/test-amp-script-sanitizer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,19 +86,21 @@ public function get_sanitizer_data() {
<script>document.write("Hey.")</script>
<script type="application/json">{"data":1}</script>
<script type="application/ld+json">{"data":2}</script>
<amp-state id="test"><script type="application/json">{"data":3}</script></amp-state>
</body></html>
',
'
<html><head><meta charset="utf-8"></head><body>
<script type="application/ld+json">{"data":2}</script>
<amp-state id="test"><script type="application/json">{"data":3}</script></amp-state>
</body></html>
',
[
'sanitize_scripts' => true,
],
[
AMP_Script_Sanitizer::CUSTOM_INLINE_SCRIPT,
AMP_Script_Sanitizer::CUSTOM_JSON_SCRIPT,
AMP_Tag_And_Attribute_Sanitizer::DISALLOWED_TAG,
],
],
'external_scripts_removed' => [
Expand Down

0 comments on commit 1210af1

Please sign in to comment.