Packages and Tools: Ensure proper flags are used with json_encode()

[tbradsha]

Closes MONOREP-262

See MONOREP-129 and further discussion in p1763997995289799-slack-C05Q5HSS013.

This is a best-effort application of proper flags for json_encode() and wp_json_encode().

It also includes some cleanup of PHP 5.2 compatibility (JSON.parse(decodeURIComponent())), which was a workaround for when the flags we now use did not exist.

I've tagged for review a few teams whose packages I know I touched.

A follow-up will be done for the plugins.

Proposed changes:

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Does this pull request change what data or activity we track or use?

Testing instructions:

Beyond ensuring the flags make sense, hopefully CI tests pass.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack or WordPress.com Site Helper), and enable the fix/audit_json_encode_flags branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack fix/audit_json_encode_flags

bin/jetpack-downloader test jetpack-mu-wpcom-plugin fix/audit_json_encode_flags

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[jp-launch-control]

Code Coverage Summary

Coverage changed in 30 files. Only the first 5 are listed here.

File	Coverage	Δ%	Δ Uncovered
projects/packages/google-analytics/src/class-legacy.php	27/165 (16.36%)	3.44%	10 💔
projects/packages/sync/src/modules/class-module.php	41/252 (16.27%)	-0.33%	5 💔
projects/packages/forms/src/contact-form/class-contact-form-field.php	1092/1743 (62.65%)	-0.14%	4 💔
projects/packages/connection/legacy/class-jetpack-signature.php	111/149 (74.50%)	-1.53%	3 ❤️‍🩹
projects/packages/connection/src/class-client.php	154/207 (74.40%)	-1.09%	3 ❤️‍🩹

Full summary · PHP report · JS report

_{If appropriate, add one of these labels to override the failing coverage check: Covered by non-unit tests Use to ignore the Code coverage requirement check when E2Es or other non-unit tests cover the code Coverage tests to be added later Use to ignore the Code coverage requirement check when tests will be added in a follow-up PR I don't care about code coverage for this PR Use this label to ignore the check for insufficient code coveage.}

[coder-karen]

I have checked the Classic Theme Helper and Sync package changes and run some tests to confirm they're ok. For the Connection changes @bindlegirl or @sergeymitr may be able to confirm.

[anomiex]

For the benefit of other reviewers, the general situation here is:

• The default behavior of escaping slashes is pretty much never correct. So JSON_UNESCAPED_SLASHES should almost always be used.
• When outputting the JSON somewhere inside of <script> tags, JSON_HEX_TAG is needed. If there's a chance the page might be interpreted as XHTML for some reason, JSON_HEX_AMP is also needed.
• When outputting JSON into an HTML tag attribute, the json_encode() must always be wrapped in htmlspecialchars() or esc_attr(). When the latter is used, JSON_HEX_AMP is required for correct behavior.
• If we're sure the consumer of the data is going to interpret it as UTF-8, JSON_UNESCAPED_UNICODE may be included.
  • For direct output into webpages from WordPress, that would usually mean a check for get_option( 'blog_charset' ) === 'UTF-8'.
  • JSON_UNESCAPED_LINE_TERMINATORS may be used along with JSON_UNESCAPED_UNICODE, as long as you're sure it won't be interpreted as JavaScript by a pre-ES2019 browser. But since it only affects two very rare characters anyway (U+2028 and U+2029), it may be more trouble than it's worth to bother adding this flag.
• Calculation of a detached signature/hash is a possible exception to all this, but only because both producer and consumer need to calculate the signature/hash in the same way.
• If in doubt, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP is a safe default.
• Even if it's technically safe because the input data can never contain <>& or the like (which is probably the case for a lot of these), it's still better to use the correct flags in case that changes or the code gets copy-pasted and adapted. Plus it saves reviewers having to dig deeper to see whether it really is safe or not.
• P.S. JSON_HEX_APOS and JSON_HEX_QUOT are seldom needed. If you think you need them somewhere, first check that you're not doing something else wrong instead (like forgetting esc_attr()).

[anomiex]

The commit message should mention that we took the opportunity to clean up this sort of PHP 5.2 compatibility code (the various flags weren't introduced until 5.3).

[tbradsha]

Will do!

[bindlegirl]

For the Connection package, everything looks OK. Thank you for working on this!