Plugins: Ensure proper flags are used with json_encode()

projects/plugins/automattic-for-agencies-client/changelog/fix-audit_json_encode_flags_part_trois

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Ensure proper flags are used with `json_encode()`.

projects/plugins/automattic-for-agencies-client/src/class-automattic-for-agencies-client.php

@@ -125,7 +125,7 @@ public static function enqueue_admin_scripts() {
 	 * @return string
 	 */
 	private static function render_initial_state() {
-		return 'var automatticForAgenciesClientInitialState=JSON.parse(decodeURIComponent("' . rawurlencode( wp_json_encode( static::initial_state() ) ) . '"));';
+		return 'var automatticForAgenciesClientInitialState=' . wp_json_encode( static::initial_state(), JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ) . ';';
 	}
 
 	/**

projects/plugins/boost/app/lib/class-cli.php

@@ -68,13 +68,13 @@ public function module( $args ) {
 
 		if ( $module_slug === null ) {
 			/* translators: Placeholder is list of available modules. */
-			\WP_CLI::error( sprintf( __( 'Please specify a valid module. It should be one of %s', 'jetpack-boost' ), wp_json_encode( self::MAKE_E2E_TESTS_WORK_MODULES ) ) );
+			\WP_CLI::error( sprintf( __( 'Please specify a valid module. It should be one of %s', 'jetpack-boost' ), wp_json_encode( self::MAKE_E2E_TESTS_WORK_MODULES, JSON_UNESCAPED_SLASHES ) ) );
 		}
 
 		if ( ! in_array( $module_slug, self::MAKE_E2E_TESTS_WORK_MODULES, true ) ) {
 			\WP_CLI::error(
 				/* translators: %1$s refers to the module slug like 'critical-css', %2$s is the list of available modules. */
-				sprintf( __( "The '%1\$s' module slug is invalid. It should be one of %2\$s", 'jetpack-boost' ), $module_slug, wp_json_encode( self::MAKE_E2E_TESTS_WORK_MODULES ) )
+				sprintf( __( "The '%1\$s' module slug is invalid. It should be one of %2\$s", 'jetpack-boost' ), $module_slug, wp_json_encode( self::MAKE_E2E_TESTS_WORK_MODULES, JSON_UNESCAPED_SLASHES ) )
 			);
 		}
 

projects/plugins/boost/app/lib/minify/class-utils.php

@@ -23,17 +23,19 @@ public function __construct( $use_wp = true ) {
 	/**
 	 * Encodes a value to JSON.
 	 *
-	 * @param mixed $value The value to encode.
+	 * @param mixed $value   The value to encode.
+	 * @param int   $flags   Options to be passed to json_encode(). Default 0.
+	 * @param int   $depth   Maximum depth to walk through $value. Must be greater than 0.
 	 *
-	 * @return string The JSON-encoded string.
+	 * @return string|false The JSON-encoded string, or false on failure.
 	 */
-	public function json_encode( $value ) {
+	public function json_encode( $value, $flags = 0, $depth = 512 ) {
 		if ( $this->use_wp ) {
-			return wp_json_encode( $value );
+			return wp_json_encode( $value, $flags, $depth );
 		}
 
 		// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
-		return json_encode( $value );
+		return json_encode( $value, $flags, $depth );
 	}
 
 	/**

projects/plugins/boost/app/lib/minify/functions-service-fallback.php

@@ -98,7 +98,7 @@ function jetpack_boost_page_optimize_service_request() {
 		// phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_file_put_contents
 		file_put_contents( $cache_file, $content );
 		// phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_file_put_contents
-		file_put_contents( $cache_file_meta, wp_json_encode( array( 'headers' => $headers ) ) );
+		file_put_contents( $cache_file_meta, wp_json_encode( array( 'headers' => $headers ), JSON_UNESCAPED_SLASHES ) );
 	}
 
 	die( 0 );

projects/plugins/boost/app/modules/optimizations/cloud-css/class-cloud-css.php

@@ -172,7 +172,12 @@ public function generate_cloud_css( $reason, $providers = array() ) {
 			'providers'     => $grouped_urls,
 			'successRatios' => $grouped_ratios,
 		);
-		$payload['requestId'] = md5( wp_json_encode( $payload ) . time() );
+		$payload['requestId'] = md5(
+			wp_json_encode(
+				$payload,
+				0 // No `json_encode()` flags because this needs to match whatever is calculating the hash on the other end.
+			) . time()
+		);
 		$payload['reason']    = $reason;
 		return Boost_API::post( 'cloud-css', $payload );
 	}

projects/plugins/boost/app/modules/optimizations/lcp/class-lcp-analyzer.php

@@ -97,7 +97,12 @@ protected function get_cornerstone_pages() {
 	private function analyze_pages( $pages ) {
 		$payload = array(
 			'pages'     => $pages,
-			'requestId' => md5( wp_json_encode( $pages ) ),
+			'requestId' => md5(
+				wp_json_encode(
+					$pages,
+					0 // No `json_encode()` flags because this needs to match whatever is calculating the hash on the other end.
+				)
+			),
 		);
 		return Boost_API::post( 'lcp', $payload );
 	}

projects/plugins/boost/app/modules/optimizations/page-cache/pre-wordpress/class-boost-cache-settings.php

@@ -182,7 +182,10 @@ public function set( $settings ) {
 
 		$this->settings = array_merge( $this->settings, $settings );
 
-		$contents = "<?php die();\n/*\n * Configuration data for Jetpack Boost Cache. Do not edit.\n" . json_encode( $this->settings ) . "\n */"; // phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
+		$contents = "<?php die();\n/*\n * Configuration data for Jetpack Boost Cache. Do not edit.\n" . json_encode( // phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
+			$this->settings,
+			JSON_HEX_TAG // Need to escape slashes because this is, for some reason, going into a PHP comment and we need to guard against `*/`.
+		) . "\n */";
 		$result   = Filesystem_Utils::write_to_file( $this->config_file, $contents );
 		if ( $result instanceof Boost_Cache_Error ) {
 			Logger::debug( $result->get_error_message() );

projects/plugins/boost/app/modules/optimizations/page-cache/pre-wordpress/class-filesystem-utils.php

@@ -124,7 +124,12 @@ public static function get_request_filename( $parameters ) {
 		 */
 		$key_components = apply_filters_deprecated( 'boost_cache_key_components', array( $parameters ), '3.8.0', 'jetpack_boost_cache_parameters' );
 
-		return md5( json_encode( $key_components ) ) . '.html'; // phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
+		return md5(
+			json_encode( // phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
+				$key_components,
+				0 // No `json_encode()` flags because this needs to match whatever is calculating the hash on the other end.
+			)
+		) . '.html';
 	}
 
 	/**

projects/plugins/boost/app/modules/optimizations/page-cache/pre-wordpress/class-logger.php

@@ -120,7 +120,8 @@ public function log( $message ) {
 				'uri'  => $request_uri,
 				'msg'  => $message,
 				'uid'  => uniqid(), // Uniquely identify this log line.
-			)
+			),
+			JSON_UNESCAPED_SLASHES
 		);
 
 		// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log

projects/plugins/boost/changelog/fix-audit_json_encode_flags_part_trois

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Ensure proper flags are used with `json_encode()`.

projects/plugins/boost/tests/e2e/plugins/e2e-mock-speed-score-api.php

@@ -76,7 +76,7 @@ function e2e_mock_speed_score_api_response( $body ) {
 		'response' => array(
 			'code' => 200,
 		),
-		'body'     => wp_json_encode( $body ),
+		'body'     => wp_json_encode( $body, JSON_UNESCAPED_SLASHES ),
 	);
 }
 

projects/plugins/boost/tests/php/modules/optimizations/page-cache/Filesystem_Utils_Test.php

@@ -63,7 +63,6 @@ public function test_get_request_filename() {
 
 		$filename = Filesystem_Utils::get_request_filename( $parameters );
 		$this->assertIsString( $filename );
-		$this->assertEquals( 32, strlen( md5( json_encode( $parameters ) ) ) );
 		$this->assertStringEndsWith( '.html', $filename );
 	}
 

projects/plugins/classic-theme-helper-plugin/changelog/fix-audit_json_encode_flags_part_trois

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Ensure proper flags are used with `json_encode()`.

projects/plugins/classic-theme-helper-plugin/src/class-classic-theme-helper-plugin.php

@@ -52,7 +52,7 @@ public function enqueue_admin_scripts() {
 	 * @return string
 	 */
 	public function render_initial_state() {
-		return 'var jetpackClassicThemeHelperPluginInitialState=JSON.parse(decodeURIComponent("' . rawurlencode( wp_json_encode( $this->initial_state() ) ) . '"));';
+		return 'var jetpackClassicThemeHelperPluginInitialState=' . wp_json_encode( $this->initial_state(), JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ) . ';';
 	}
 
 	/**

projects/plugins/debug-helper/changelog/fix-audit_json_encode_flags_part_trois

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Ensure proper flags are used with `json_encode()`.

projects/plugins/debug-helper/modules/class-xmlrpc-logger.php

@@ -235,14 +235,14 @@ public function pretty_print_xml( $xml ) {
 	public function convert_xml_rpc_to_json( $xml ) {
 		// Convert SimpleXML object to an array
 		// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode, WordPress.WP.AlternativeFunctions.json_decode_json_decode
-		$array = json_decode( json_encode( (array) $xml ), true );
+		$array = json_decode( json_encode( (array) $xml, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE ), true );
 
 		// Recursively clean up the array from empty arrays and objects
 		$array = $this->recursive_array_clean( $array );
 
 		// Convert the array to a JSON string
 		// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
-		return json_encode( $array, JSON_PRETTY_PRINT );
+		return json_encode( $array, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT );
 	}
 
 	/**

projects/plugins/inspect/app/Log.php

@@ -33,7 +33,7 @@ public static function insert( $url, $data ) {
 			'post_title'   => $url,
 			'post_name'    => uniqid( 'jetpack_inspect_log_', true ),
 			'post_status'  => 'publish',
-			'post_content' => base64_encode( wp_json_encode( $data ) ), // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
+			'post_content' => base64_encode( wp_json_encode( $data, JSON_UNESCAPED_SLASHES ) ), // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
 		);
 
 		wp_insert_post( $data_post_data );

projects/plugins/inspect/changelog/fix-audit_json_encode_flags_part_trois

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Ensure proper flags are used with `json_encode()`.

projects/plugins/jetpack/3rd-party/debug-bar/class-jetpack-search-debug-bar.php

@@ -182,9 +182,9 @@ public function render_json_toggle( $value ) {
 				// bar.
 				// Use _wp_specialchars() "manually" to ensure entities are encoded correctly.
 				echo _wp_specialchars( // phpcs:ignore WordPress.Security.EscapeOutput
-					wp_json_encode( $value ),
+					wp_json_encode( $value, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE ),
 					ENT_NOQUOTES, // Don't need to encode quotes (output is for a text node).
-					'UTF-8',         // wp_json_encode() outputs UTF-8 (really just ASCII), not the blog's charset.
+					'UTF-8',         // wp_json_encode() outputs UTF-8, not the blog's charset.
 					true       // Do "double-encode" existing HTML entities.
 				);
 			?>

projects/plugins/jetpack/_inc/class.jetpack-provision.php

@@ -170,7 +170,7 @@ public static function partner_provision( $access_token, $named_args ) {
 			),
 			'timeout' => 60,
 			'method'  => 'POST',
-			'body'    => wp_json_encode( $request_body ),
+			'body'    => wp_json_encode( $request_body, JSON_UNESCAPED_SLASHES ),
 		);
 
 		$blog_id = Jetpack_Options::get_option( 'id' );

projects/plugins/jetpack/_inc/lib/admin-pages/class.jetpack-react-page.php

@@ -313,7 +313,7 @@ public function page_admin_scripts() {
 
 		// Add objects to be passed to the initial state of the app.
 		// Use wp_add_inline_script instead of wp_localize_script, see https://core.trac.wordpress.org/ticket/25280.
-		wp_add_inline_script( 'react-plugin', 'var Initial_State=JSON.parse(decodeURIComponent("' . rawurlencode( wp_json_encode( Jetpack_Redux_State_Helper::get_initial_state() ) ) . '"));', 'before' );
+		wp_add_inline_script( 'react-plugin', 'var Initial_State=' . wp_json_encode( Jetpack_Redux_State_Helper::get_initial_state(), JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ) . ';', 'before' );
 
 		// This will set the default URL of the jp_redirects lib.
 		wp_add_inline_script( 'react-plugin', 'var jetpack_redirects = { currentSiteRawUrl: "' . $site_suffix . '"' . $blog_id_prop . ' };', 'before' );

projects/plugins/jetpack/_inc/lib/class-jetpack-ai-helper.php

@@ -264,7 +264,8 @@ function ( $msg ) {
 			wp_json_encode(
 				array(
 					'content' => $content,
-				)
+				),
+				JSON_UNESCAPED_SLASHES
 			),
 			'wpcom'
 		);
@@ -338,7 +339,8 @@ public static function get_dalle_generation( $prompt, $post_id ) {
 			wp_json_encode(
 				array(
 					'prompt' => $prompt,
-				)
+				),
+				JSON_UNESCAPED_SLASHES
 			),
 			'wpcom'
 		);

projects/plugins/jetpack/_inc/lib/class.core-rest-api-endpoints.php

@@ -824,7 +824,7 @@ public static function get_openai_jwt() {
 				'method'  => 'POST',
 				'headers' => array( 'Content-Type' => 'application/json; charset=utf-8' ),
 			),
-			wp_json_encode( array() ),
+			wp_json_encode( array(), JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE ),
 			'wpcom'
 		);
 
@@ -922,7 +922,7 @@ public static function get_recommendations_product_suggestions() {
 
 		$user_connected = ( new Connection_Manager( 'jetpack' ) )->is_user_connected( get_current_user_id() );
 		if ( ! $user_connected ) {
-			return wp_json_encode( array() );
+			return wp_json_encode( array(), JSON_UNESCAPED_SLASHES );
 		}
 
 		$request_path  = sprintf( '/sites/%s/jetpack-recommendations/product-suggestions?locale=' . get_user_locale(), $blog_id );
@@ -1531,7 +1531,8 @@ public static function view_jetpack_connection_test_check() {
 				'rest_route' => isset( $_GET['rest_route'] ) ? filter_var( wp_unslash( $_GET['rest_route'] ) ) : null,
 				'timestamp'  => (int) $_GET['timestamp'],
 				'url'        => esc_url_raw( wp_unslash( $_GET['url'] ) ),
-			)
+			),
+			0 // No `json_encode()` flags because this needs to match whatever is calculating the hash on the other end.
 		);
 
 		if (
@@ -1596,7 +1597,7 @@ public static function jetpack_connection_test_for_external() {
 			}
 		}
 
-		$result = wp_json_encode( $result );
+		$result = wp_json_encode( $result, JSON_UNESCAPED_SLASHES );
 
 		$encrypted = $cxntests->encrypt_string_for_wpcom( $result );
 
@@ -1662,7 +1663,7 @@ public static function get_rewind_data() {
 				array(
 					'code'    => 'success',
 					'message' => esc_html__( 'Backup & Scan data correctly received.', 'jetpack' ),
-					'data'    => wp_json_encode( $rewind_data ),
+					'data'    => wp_json_encode( $rewind_data, JSON_UNESCAPED_SLASHES ),
 				)
 			);
 		}
@@ -1745,7 +1746,7 @@ public static function get_scan_state() {
 				array(
 					'code'    => 'success',
 					'message' => esc_html__( 'Scan state correctly received.', 'jetpack' ),
-					'data'    => wp_json_encode( $scan_state ),
+					'data'    => wp_json_encode( $scan_state, JSON_UNESCAPED_SLASHES ),
 				)
 			);
 		}
@@ -1918,7 +1919,7 @@ public static function update_user_tracking_settings( $request ) {
 						'X-Forwarded-For' => ( new Visitor() )->get_ip( true ),
 					),
 				),
-				wp_json_encode( $request->get_params() )
+				wp_json_encode( $request->get_params(), JSON_UNESCAPED_SLASHES )
 			);
 			if ( ! is_wp_error( $response ) ) {
 				$response = json_decode( wp_remote_retrieve_body( $response ), true );
@@ -1994,7 +1995,7 @@ public static function get_site_data() {
 				array(
 					'code'    => 'success',
 					'message' => esc_html__( 'Site data correctly received.', 'jetpack' ),
-					'data'    => wp_json_encode( $site_data ),
+					'data'    => wp_json_encode( $site_data, JSON_UNESCAPED_SLASHES ),
 				)
 			);
 		}

projects/plugins/jetpack/_inc/lib/core-api/class.jetpack-core-api-site-endpoints.php

@@ -296,7 +296,7 @@ function ( $i, $j ) {
 			array(
 				'code'    => 'success',
 				'message' => esc_html__( 'Site benefits correctly received.', 'jetpack' ),
-				'data'    => wp_json_encode( $benefits ),
+				'data'    => wp_json_encode( $benefits, JSON_UNESCAPED_SLASHES ),
 			)
 		);
 	}

projects/plugins/jetpack/_inc/lib/debugger/class-jetpack-debug-data.php

@@ -285,7 +285,7 @@ public static function debug_data() {
 
 		$debug_info['protect_header'] = array(
 			'label'   => 'Trusted IP',
-			'value'   => wp_json_encode( get_site_option( 'trusted_ip_header' ) ),
+			'value'   => wp_json_encode( get_site_option( 'trusted_ip_header' ), JSON_UNESCAPED_SLASHES ),
 			'private' => false,
 		);
 
@@ -302,7 +302,7 @@ public static function debug_data() {
 			}
 			$debug_info['full_sync'] = array(
 				'label'   => 'Full Sync Status',
-				'value'   => wp_json_encode( $human_readable_sync_status ),
+				'value'   => wp_json_encode( $human_readable_sync_status, JSON_UNESCAPED_SLASHES ),
 				'private' => false,
 			);
 		}
@@ -347,12 +347,12 @@ public static function debug_data() {
 
 		$debug_info['idc_urls']         = array(
 			'label'   => 'IDC URLs',
-			'value'   => wp_json_encode( $idc_urls ),
+			'value'   => wp_json_encode( $idc_urls, JSON_UNESCAPED_SLASHES ),
 			'private' => false,
 		);
 		$debug_info['idc_error_option'] = array(
 			'label'   => 'IDC Error Option',
-			'value'   => wp_json_encode( Jetpack_Options::get_option( 'sync_error_idc' ) ),
+			'value'   => wp_json_encode( Jetpack_Options::get_option( 'sync_error_idc' ), JSON_UNESCAPED_SLASHES ),
 			'private' => false,
 		);
 		$debug_info['idc_optin']        = array(
@@ -371,7 +371,7 @@ public static function debug_data() {
 		if ( $cxn_tests->pass() ) {
 			$debug_info['cxn_tests']['value'] = 'All Pass.';
 		} else {
-			$debug_info['cxn_tests']['value'] = wp_json_encode( $cxn_tests->list_fails() );
+			$debug_info['cxn_tests']['value'] = wp_json_encode( $cxn_tests->list_fails(), JSON_UNESCAPED_SLASHES );
 		}
 
 		return $debug_info;

projects/plugins/jetpack/_inc/lib/widgets.php

@@ -576,7 +576,7 @@ public static function activate_widget( $id_base, $sidebar, $position, $settings
 				'wpcom_widgets_activate_widget',
 				array(
 					'widget'   => $id_base,
-					'settings' => wp_json_encode( $settings ),
+					'settings' => wp_json_encode( $settings, JSON_UNESCAPED_SLASHES ),
 				)
 			);
 		}

projects/plugins/jetpack/changelog/fix-audit_json_encode_flags_part_trois

@@ -0,0 +1,4 @@
+Significance: patch
+Type: other
+
+Ensure proper flags are used with `json_encode()`.