Use more robust JSON flags

Author: westonruter

plugins/optimization-detective/detection.php

@@ -153,8 +153,14 @@ static function ( OD_URL_Metric_Group $group ): array {
 		sprintf(
 			"( %s )( %s, %s );\n//# sourceURL=%s",
 			file_get_contents( __DIR__ . '/' . od_get_asset_path( 'detect-loader.js' ) ), // phpcs:ignore WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents -- It's a local filesystem path not a remote request.
-			wp_json_encode( plugins_url( add_query_arg( 'ver', OPTIMIZATION_DETECTIVE_VERSION, od_get_asset_path( 'detect.js' ) ), __FILE__ ) ),
-			wp_json_encode( $detect_args ),
+			wp_json_encode(
+				add_query_arg(
+					array( 'ver' => OPTIMIZATION_DETECTIVE_VERSION ),
+					plugins_url( od_get_asset_path( 'detect.js' ), __FILE__ )
+				),
+				JSON_HEX_TAG | JSON_UNESCAPED_SLASHES
+			),
+			wp_json_encode( $detect_args, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
 			add_query_arg(
 				array( 'ver' => OPTIMIZATION_DETECTIVE_VERSION ),
 				plugins_url( od_get_asset_path( 'detect-loader.js' ), __FILE__ )

plugins/optimization-detective/optimization.php

@@ -122,7 +122,7 @@ function od_print_disabled_reasons( array $reasons ): void {
 		wp_print_inline_script_tag(
 			sprintf(
 				"console.info( %s );\n//# sourceURL=od-print-disabled-reasons-%d",
-				wp_json_encode( '[Optimization Detective] ' . $reason ),
+				wp_json_encode( '[Optimization Detective] ' . $reason, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
 				$i + 1
 			),
 			array( 'type' => 'module' )

plugins/optimization-detective/storage/class-od-rest-url-metrics-store-endpoint.php

@@ -232,7 +232,7 @@ public function handle_rest_request( WP_REST_Request $request ) {
 
 		// Limit JSON payload size to safeguard against clients sending possibly malicious payloads much larger than allowed.
 		$max_size       = od_get_maximum_url_metric_size();
-		$content_length = strlen( (string) wp_json_encode( $url_metric ) );
+		$content_length = strlen( (string) wp_json_encode( $url_metric, JSON_UNESCAPED_SLASHES ) ); // Flags match with \OD_URL_Metrics_Post_Type::update_post().
 		if ( $content_length > $max_size ) {
 			return new WP_Error(
 				'rest_content_too_large',

plugins/optimization-detective/storage/class-od-url-metrics-post-type.php

@@ -241,7 +241,7 @@ static function ( OD_URL_Metric $a, OD_URL_Metric $b ): int {
 
 		$post_data['post_content'] = wp_json_encode(
 			$url_metric_group_collection->get_flattened_url_metrics(),
-			JSON_UNESCAPED_SLASHES // No need for escaping slashes since this JSON is not embedded in HTML.
+			JSON_UNESCAPED_SLASHES // No need for escaping slashes or hex tags since this JSON is not embedded in HTML.
 		);
 		if ( ! is_string( $post_data['post_content'] ) ) {
 			return new WP_Error( 'json_encode_error', json_last_error_msg() );

plugins/optimization-detective/storage/data.php

@@ -117,6 +117,7 @@ function od_get_current_url(): string {
  * @return non-empty-string Slug.
  */
 function od_get_url_metrics_slug( array $query_vars ): string {
+	// TODO: The JSON_UNESCAPED_SLASHES flag could be used here, but beware this could invalidate URL Metrics. See <https://github.com/WordPress/performance/pull/1949>.
 	return md5( (string) wp_json_encode( $query_vars ) );
 }
 
@@ -238,6 +239,7 @@ static function ( $post ): ?array {
 	 */
 	$data = (array) apply_filters( 'od_current_url_metrics_etag_data', $data );
 
+	// TODO: The JSON_UNESCAPED_SLASHES flag could be used here.
 	return md5( (string) wp_json_encode( $data ) );
 }
 

plugins/optimization-detective/tests/test-detection.php

@@ -224,7 +224,7 @@ public function test_od_get_detection_script_returns_script( Closure $set_up, ar
 		$this->assertStringContainsString( '<script type="module">', $script );
 		$this->assertStringContainsString( 'async function load', $script );
 		foreach ( $expected_exports as $key => $value ) {
-			$this->assertStringContainsString( sprintf( '%s:%s', wp_json_encode( $key ), wp_json_encode( $value ) ), $script );
+			$this->assertStringContainsString( sprintf( '%s:%s', wp_json_encode( $key, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ), wp_json_encode( $value, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ) ), $script );
 		}
 		$this->assertStringContainsString( '"urlMetricHMAC":', $script );
 		$this->assertSame( 1, preg_match( '/"webVitalsLibrarySrc":("[^"]+?")/', $script, $matches ) );

plugins/speculation-rules/plugin-api.php

@@ -135,7 +135,7 @@ function plsr_print_speculation_rules(): void {
 	}
 
 	wp_print_inline_script_tag(
-		(string) wp_json_encode( plsr_get_speculation_rules() ),
+		(string) wp_json_encode( plsr_get_speculation_rules(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
 		array( 'type' => 'speculationrules' )
 	);
 }

plugins/view-transitions/includes/theme.php

@@ -352,7 +352,7 @@ function plvt_load_view_transitions(): void {
 
 	$init_script = sprintf(
 		'plvtInitViewTransitions( %s )',
-		wp_json_encode( $config, JSON_FORCE_OBJECT )
+		wp_json_encode( $config, JSON_FORCE_OBJECT | JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
 	);
 
 	/*

plugins/web-worker-offloading/helper.php

@@ -107,7 +107,7 @@ function plwwo_register_default_scripts( WP_Scripts $scripts ): void {
 		'web-worker-offloading',
 		sprintf(
 			'window.partytown = {...(window.partytown || {}), ...%s};',
-			wp_json_encode( plwwo_get_configuration() )
+			wp_json_encode( plwwo_get_configuration(), JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
 		),
 		'before'
 	);

plugins/web-worker-offloading/tests/test-web-worker-offloading.php

@@ -83,7 +83,7 @@ public function test_plwwo_register_default_scripts(): void {
 			$before_data
 		);
 		$this->assertStringContainsString(
-			wp_json_encode( $partytown_config ),
+			wp_json_encode( $partytown_config, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES ),
 			$before_data
 		);
 		$this->assertEquals( file_get_contents( $partytown_lib . 'partytown.js' ), $after_data );