From 03af8a6e9198ecf919764227eb673047f2790e06 Mon Sep 17 00:00:00 2001 From: desrosj Date: Fri, 11 Nov 2022 02:28:13 +0000 Subject: [PATCH] Media: Prevent decoding attribute corrupting JSON data. Workaround `wp_img_tag_add_decoding_attr()` potentially breaking JavaScript and JSON data by limiting the addition of the decoding attribute to image tags using unescaped double quoted attributes `src` attributes. Props rodricus, TimothyBlynJacobs, joelmadigan, mw108, adamsilverstein, flixos90, desrosj, mukesh27, peterwilsoncc. Merges [54802] to the 6.1 branch. Fixes #56969. Built from https://develop.svn.wordpress.org/branches/6.1@54807 git-svn-id: http://core.svn.wordpress.org/branches/6.1@54359 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/media.php | 6 ++++++ wp-includes/version.php | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/wp-includes/media.php b/wp-includes/media.php index bfd71cdcb3..804a34f6ac 100644 --- a/wp-includes/media.php +++ b/wp-includes/media.php @@ -1962,6 +1962,12 @@ function wp_img_tag_add_loading_attr( $image, $context ) { * @return string Converted `img` tag with `decoding` attribute added. */ function wp_img_tag_add_decoding_attr( $image, $context ) { + // Only apply the decoding attribute to images that have a src attribute that + // starts with a double quote, ensuring escaped JSON is also excluded. + if ( false === strpos( $image, ' src="' ) ) { + return $image; + } + /** * Filters the `decoding` attribute value to add to an image. Default `async`. * diff --git a/wp-includes/version.php b/wp-includes/version.php index f6aa7808a3..d9579c03ba 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.1.1-alpha-54806'; +$wp_version = '6.1.1-alpha-54807'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.