Validate module_dependencies in WP_Scripts::add_data()

westonruter · sirreal · gemini-code-assist[bot] · westonruter · commit b45082629c3a · 2026-01-30T14:10:57.000-08:00
Ensures that the 'module_dependencies' value is an array of strings. Non-array values trigger a _doing_it_wrong() notice and return false, while non-string items within an array are stripped with a notice.

Co-authored-by: Jon Surrell &lt;jonsurrell@git.wordpress.org&gt;
Co-authored-by: gemini-code-assist[bot] &lt;176961590+gemini-code-assist[bot]@users.noreply.github.com&gt;
diff --git a/src/wp-includes/class-wp-scripts.php b/src/wp-includes/class-wp-scripts.php
@@ -920,6 +920,45 @@ public function add_data( $handle, $key, $value ) {
 				);
 				return false;
 			}
+		} elseif ( 'module_dependencies' === $key ) {
+			if ( ! is_array( $value ) ) {
+				_doing_it_wrong(
+					__METHOD__,
+					sprintf(
+						/* translators: 1: 'module_dependencies', 2: Script handle. */
+						__( 'The value for "%1$s" must be an array for the "%2$s" script.' ),
+						'module_dependencies',
+						$handle
+					),
+					'7.0.0'
+				);
+				return false;
+			}
+
+			$sanitized_value = array();
+			$has_invalid_ids = false;
+			foreach ( $value as $id ) {
+				if ( ! is_string( $id ) ) {
+					$has_invalid_ids = true;
+				} else {
+					$sanitized_value[] = $id;
+				}
+			}
+
+			if ( $has_invalid_ids ) {
+				_doing_it_wrong(
+					__METHOD__,
+					sprintf(
+						/* translators: 1: Script handle, 2: 'module_dependencies' */
+						__( 'The script handle "%1$s" has one or more of its script module dependencies ("%2$s") which are not strings.' ),
+						$handle,
+						'module_dependencies'
+					),
+					'7.0.0'
+				);
+			}
+
+			$value = $sanitized_value;
 		}
 		return parent::add_data( $handle, $key, $value );
 	}
diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php
@@ -1277,6 +1277,58 @@ public function test_invalid_fetchpriority_on_alias() {
 		$this->assertArrayNotHasKey( 'fetchpriority', wp_scripts()->registered['alias']->extra );
 	}
 
+	/**
+	 * Tests validation of module_dependencies in WP_Scripts::add_data().
+	 *
+	 * @ticket 61500
+	 *
+	 * @covers WP_Scripts::add_data
+	 *
+	 * @dataProvider data_add_data_module_dependencies_validation
+	 *
+	 * @param mixed      $data     Data to add.
+	 * @param string     $message  Expected error message.
+	 * @param bool       $expected Expected return value.
+	 * @param array|null $stored   Expected stored value.
+	 */
+	public function test_add_data_module_dependencies_validation( $data, string $message, bool $expected, ?array $stored ) {
+		wp_register_script( 'test-script', '/test.js' );
+
+		$expected_incorrect_usage = 'WP_Scripts::add_data';
+		$this->setExpectedIncorrectUsage( $expected_incorrect_usage );
+
+		$this->assertSame( $expected, wp_scripts()->add_data( 'test-script', 'module_dependencies', $data ) );
+		$this->assertStringContainsString( $message, $this->caught_doing_it_wrong[ $expected_incorrect_usage ] );
+
+		if ( null === $stored ) {
+			$this->assertFalse( wp_scripts()->get_data( 'test-script', 'module_dependencies' ) );
+		} else {
+			$this->assertSame( $stored, wp_scripts()->get_data( 'test-script', 'module_dependencies' ) );
+		}
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array<string, array{data: mixed, message: string, expected: bool, stored: string[]|null}>
+	 */
+	public function data_add_data_module_dependencies_validation(): array {
+		return array(
+			'non-array' => array(
+				'data'     => 'not-an-array',
+				'message'  => 'The value for "module_dependencies" must be an array',
+				'expected' => false,
+				'stored'   => null,
+			),
+			'bad-items' => array(
+				'data'     => array( 'valid', 123, true, array() ),
+				'message'  => 'has script module dependencies ("module_dependencies") that are not strings and have been removed',
+				'expected' => true,
+				'stored'   => array( 'valid' ),
+			),
+		);
+	}
+
 	/**
 	 * Data provider.
 	 *
