Is your feature request related to a problem?
Manually constructing inline script tags is no longer necessary with the introduction of wp_get_inline_script_tag() and wp_print_inline_script_tag()in Core-39941. Importantly, these functions allow for the attributes to be filtered via the wp_inline_script_attributes. This allows for a nonce attribute to be added to make scripts compatible with Strict CSP (Content Security Policy), which a plugin can enforce (for example). These functions are now used on the frontend and on the login screen as of Core-58664, although not yet in the admin per Core-59446. Some bundled themes are also manually constructing script tags, per Core-63806. By having a sniff that flags these in WPCS, we can start fixing instances of manual script construction in the WP admin while at the same time getting the ecosystem to also adopt this better way to construct script tags.
Describe the solution you'd like
The WordPress.WP.EnqueuedResources sniff already flags construction of external script tags with a NonEnqueuedScript error. This existing sniff (or a new one, like WordPress.WP.InlineResources) should flag the construction of inline script tags.
So instead of:
<?php
function my_theme_supports_js() {
echo '<script>document.body.classList.remove("no-js");</script>'; // ❌ DO NOT DO THIS 👎
}
add_action( 'wp_footer', 'my_theme_supports_js' );This should be done instead:
<?php
function my_theme_supports_js() {
wp_print_inline_script_tag( 'document.body.classList.remove("no-js");' ); // ✅ Do this instead 👍
}
add_action( 'wp_footer', 'my_theme_supports_js' );Additional context (optional)
Relates to:
Is your feature request related to a problem?
Manually constructing inline script tags is no longer necessary with the introduction of
wp_get_inline_script_tag()andwp_print_inline_script_tag()in Core-39941. Importantly, these functions allow for the attributes to be filtered via thewp_inline_script_attributes. This allows for anonceattribute to be added to make scripts compatible with Strict CSP (Content Security Policy), which a plugin can enforce (for example). These functions are now used on the frontend and on the login screen as of Core-58664, although not yet in the admin per Core-59446. Some bundled themes are also manually constructing script tags, per Core-63806. By having a sniff that flags these in WPCS, we can start fixing instances of manual script construction in the WP admin while at the same time getting the ecosystem to also adopt this better way to construct script tags.Describe the solution you'd like
The
WordPress.WP.EnqueuedResourcessniff already flags construction of external script tags with aNonEnqueuedScripterror. This existing sniff (or a new one, likeWordPress.WP.InlineResources) should flag the construction of inline script tags.So instead of:
This should be done instead:
Additional context (optional)
Relates to:
<script>tags ifwp_json_encode()not used and ensure JSON is encoded with the best flags #63