From 1210af18c7151cccd415cc538c66c6ce9ecce6f4 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Mon, 16 Aug 2021 18:23:13 -0700 Subject: [PATCH] Remove sanitizing JSON scripts in script sanitizer --- .../sanitizers/class-amp-script-sanitizer.php | 19 +++---------------- tests/php/test-amp-script-sanitizer.php | 4 +++- 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/includes/sanitizers/class-amp-script-sanitizer.php b/includes/sanitizers/class-amp-script-sanitizer.php index 64a2a1c068f..c58a83d8dc0 100644 --- a/includes/sanitizers/class-amp-script-sanitizer.php +++ b/includes/sanitizers/class-amp-script-sanitizer.php @@ -26,13 +26,6 @@ class AMP_Script_Sanitizer extends AMP_Base_Sanitizer { */ const CUSTOM_INLINE_SCRIPT = 'CUSTOM_INLINE_SCRIPT'; - /** - * Error code for custom inline JSON script tag. - * - * @var string - */ - const CUSTOM_JSON_SCRIPT = 'CUSTOM_JSON_SCRIPT'; - /** * Error code for custom external JS script tag. * @@ -68,7 +61,7 @@ class AMP_Script_Sanitizer extends AMP_Base_Sanitizer { * Array of flags used to control sanitization. * * @var array { - * @type bool $sanitize_scripts Whether to sanitize scripts (and not defer for final sanitizer). + * @type bool $sanitize_scripts Whether to sanitize JS scripts (and not defer for final sanitizer). * @type bool $unwrap_noscripts Whether to unwrap noscript elements. * } */ @@ -163,7 +156,7 @@ protected function unwrap_noscript_elements() { * @since 2.2 */ protected function sanitize_script_elements() { - $scripts = $this->dom->xpath->query( '//script[ not( @type ) or @type != "application/ld+json" ]' ); + $scripts = $this->dom->xpath->query( '//script[ not( @type ) or not( contains( @type, "json" ) ) ]' ); /** @var Element $script */ foreach ( $scripts as $script ) { @@ -192,15 +185,9 @@ protected function sanitize_script_elements() { continue; } - if ( $script->hasAttribute( Attribute::TYPE ) && false !== strpos( $script->getAttribute( Attribute::TYPE ), 'json' ) ) { - $code = self::CUSTOM_JSON_SCRIPT; - } else { - $code = self::CUSTOM_INLINE_SCRIPT; - } - $removed = $this->remove_invalid_child( $script, - [ 'code' => $code ] + [ 'code' => self::CUSTOM_INLINE_SCRIPT ] ); if ( ! $removed ) { $script->setAttribute( DevMode::DEV_MODE_ATTRIBUTE, '' ); diff --git a/tests/php/test-amp-script-sanitizer.php b/tests/php/test-amp-script-sanitizer.php index 7136530f5c3..97fc238b55b 100644 --- a/tests/php/test-amp-script-sanitizer.php +++ b/tests/php/test-amp-script-sanitizer.php @@ -86,11 +86,13 @@ public function get_sanitizer_data() { + ', ' + ', [ @@ -98,7 +100,7 @@ public function get_sanitizer_data() { ], [ AMP_Script_Sanitizer::CUSTOM_INLINE_SCRIPT, - AMP_Script_Sanitizer::CUSTOM_JSON_SCRIPT, + AMP_Tag_And_Attribute_Sanitizer::DISALLOWED_TAG, ], ], 'external_scripts_removed' => [