Security: ensure second arg of wp_localize_script() is properly escaped

[JDGrimes]

The second arg of the wp_localize_script() function, $object_name, is directly interpolated into the JS without any escaping. Per the docs:

 * @param string $object_name Name for the JavaScript object. Passed directly, so it should be qualified JS variable.
 *                            Example: '/[a-zA-Z0-9_]+/'.

Believe it or not, some plugins use dynamic object names, even incorporating untrusted data. I think it makes sense add a sniff that requires the value to be properly escaped.

[johnbillion]

Is there a core ticket for this? Sounds like something that should also be fixed at the core level.

[JDGrimes]

I was going to bring it up with the core security team, until I saw that it was a documented "feature", and then I figured that it probably wouldn't be fixed. Also, a scan of the plugin repo revealed that some plugin devs are using this feature to pass scripts in via the $object_name parameter, so fixing this would break their code.

Of course, I've no problem with it being fixed at the core level, I just didn't see much point in raising the issue, given the above. If I am mistaken, I'll happily stand corrected.

[johnbillion]

Also, a scan of the plugin repo revealed that some plugin devs are using this feature to pass scripts in via the $object_name parameter

Yikes.