From a99ec2556e48489620c4e1dfb92128d401dd7e70 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Tue, 7 May 2024 17:20:47 +0200
Subject: [PATCH 01/11] Improve Interactivity API store JSON encoding

---
 .../interactivity-api/class-wp-interactivity-api.php       | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
index 3db539aae699..41c4fe4c1fdf 100644
--- a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
+++ b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
@@ -167,10 +167,15 @@ public function print_client_interactivity_data() {
 		}
 
 		if ( ! empty( $interactivity_data ) ) {
+			$json_encode_flags = JSON_HEX_TAG | JSON_HEX_AMP | JSON_UNESCAPED_SLASHES;
+			if ( str_starts_with( get_option( 'blog_charset' ), 'UTF-' ) ) {
+				$json_encode_flags |= JSON_UNESCAPED_UNICODE;
+			}
+
 			wp_print_inline_script_tag(
 				wp_json_encode(
 					$interactivity_data,
-					JSON_HEX_TAG | JSON_HEX_AMP
+					$json_encode_flags
 				),
 				array(
 					'type' => 'application/json',

From 8a6d30ff325c8cd0928943030019475fb4ee5cbc Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Wed, 8 May 2024 14:39:48 +0200
Subject: [PATCH 02/11] Only set unescaped unicode with UTF-8

---
 .../interactivity-api/class-wp-interactivity-api.php            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
index 41c4fe4c1fdf..22395df26f57 100644
--- a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
+++ b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
@@ -168,7 +168,7 @@ public function print_client_interactivity_data() {
 
 		if ( ! empty( $interactivity_data ) ) {
 			$json_encode_flags = JSON_HEX_TAG | JSON_HEX_AMP | JSON_UNESCAPED_SLASHES;
-			if ( str_starts_with( get_option( 'blog_charset' ), 'UTF-' ) ) {
+			if ( 'UTF-8' === get_option( 'blog_charset' ) ) {
 				$json_encode_flags |= JSON_UNESCAPED_UNICODE;
 			}
 

From 312d6ea77206db63733f537362badd7bb6479e44 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Thu, 9 May 2024 10:07:00 +0200
Subject: [PATCH 03/11] Remove JSON_HEX_AMP

---
 .../interactivity-api/class-wp-interactivity-api.php            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
index 22395df26f57..70afe7014957 100644
--- a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
+++ b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
@@ -167,7 +167,7 @@ public function print_client_interactivity_data() {
 		}
 
 		if ( ! empty( $interactivity_data ) ) {
-			$json_encode_flags = JSON_HEX_TAG | JSON_HEX_AMP | JSON_UNESCAPED_SLASHES;
+			$json_encode_flags = JSON_HEX_TAG | JSON_UNESCAPED_SLASHES;
 			if ( 'UTF-8' === get_option( 'blog_charset' ) ) {
 				$json_encode_flags |= JSON_UNESCAPED_UNICODE;
 			}

From 3e301171b2b54cb8cf137ba9e760cae9c0eddb33 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Thu, 9 May 2024 10:07:23 +0200
Subject: [PATCH 04/11] Add JSON_UNESCAPED_LINE_TERMINATORS

---
 .../interactivity-api/class-wp-interactivity-api.php            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
index 70afe7014957..95141185b6ca 100644
--- a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
+++ b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
@@ -169,7 +169,7 @@ public function print_client_interactivity_data() {
 		if ( ! empty( $interactivity_data ) ) {
 			$json_encode_flags = JSON_HEX_TAG | JSON_UNESCAPED_SLASHES;
 			if ( 'UTF-8' === get_option( 'blog_charset' ) ) {
-				$json_encode_flags |= JSON_UNESCAPED_UNICODE;
+				$json_encode_flags |= JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_LINE_TERMINATORS;
 			}
 
 			wp_print_inline_script_tag(

From cf29aa660712bc8dc38b4b8cac76fb6718606744 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Thu, 9 May 2024 11:21:02 +0200
Subject: [PATCH 05/11] Add comments

---
 .../class-wp-interactivity-api.php            | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
index 95141185b6ca..656472c3870a 100644
--- a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
+++ b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
@@ -167,8 +167,30 @@ public function print_client_interactivity_data() {
 		}
 
 		if ( ! empty( $interactivity_data ) ) {
+
+			/*
+			 * This data will be printed as JSON inside a script tag:
+			 *   <script type="application/json"></script>
+			 * A script tag must be closed by a sequence beginning with `</`. We ensure that
+			 * `<` is escaped and `/` can remain unescaped. `</script>` will be
+			 * printed as `\u003C/script\u00E3`.
+			 *
+			 *   - JSON_HEX_TAG: All < and > are converted to \u003C and \u003E.
+			 *   - JSON_UNESCAPED_SLASHES: Don't escape /.
+			 *
+			 * @see https://www.php.net/manual/en/json.constants.php
+			 */
 			$json_encode_flags = JSON_HEX_TAG | JSON_UNESCAPED_SLASHES;
 			if ( 'UTF-8' === get_option( 'blog_charset' ) ) {
+				/*
+				 * If the page uses the UTF-8 charset unicode does not need to be escaped.
+				 *
+				 *   - JSON_UNESCAPED_UNICODE: Encode multibyte Unicode characters literally
+				 *     (default is to escape as \uXXXX).
+				 *   - JSON_UNESCAPED_LINE_TERMINATORS: The line terminators are kept unescaped when
+				 *     JSON_UNESCAPED_UNICODE is supplied. It uses the same behaviour as it was
+				 *     before PHP 7.1 without this constant. Available as of PHP 7.1.0.
+				 */
 				$json_encode_flags |= JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_LINE_TERMINATORS;
 			}
 

From 76c7a5e594d471593873ed828fd36ae96cde60e3 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Thu, 9 May 2024 12:03:43 +0200
Subject: [PATCH 06/11] Smaller config in test

---
 .../interactivity-api/wpInteractivityAPI.php  | 77 ++++++++++++++++++-
 1 file changed, 73 insertions(+), 4 deletions(-)

diff --git a/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php b/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
index ffcc8087acf3..1a9932693a9b 100644
--- a/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
+++ b/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
@@ -27,6 +27,17 @@ public function set_up() {
 		$this->interactivity = new WP_Interactivity_API();
 	}
 
+	/**
+	 * Tear down.
+	 */
+	public function tear_down() {
+		remove_filter( 'pre_option_blog_charset', array( $this, 'charset_iso_8859_1' ) );
+	}
+
+	public function charset_iso_8859_1() {
+		return 'iso-8859-1';
+	}
+
 	/**
 	 * Tests that the state and config methods return an empty array at the
 	 * beginning.
@@ -349,20 +360,78 @@ public function test_config_printed_correctly_with_nested_empty_array() {
 	 * properly escaped.
 	 *
 	 * @ticket 60356
+	 * @ticket 61170
 	 *
 	 * @covers ::state
 	 * @covers ::config
 	 * @covers ::print_client_interactivity_data
 	 */
 	public function test_state_and_config_escape_special_characters() {
-		$this->interactivity->state( 'myPlugin', array( 'amps' => 'http://site.test/?foo=1&baz=2' ) );
-		$this->interactivity->config( 'myPlugin', array( 'tags' => 'Tags: <!-- <script>' ) );
+		$this->interactivity->state(
+			'myPlugin',
+			array(
+				'ampersand'                              => '&',
+				'less-than sign'                         => '<',
+				'greater-than sign'                      => '>',
+				'solidus'                                => '/',
+				'line separator'                         => "\u{2028}",
+				'paragraph separator'                    => "\u{2029}",
+				'flag of england'                        => "\u{1F3F4}\u{E0067}\u{E0062}\u{E0065}\u{E006E}\u{E0067}\u{E007F}",
+				'malicious script closer'                => '</script>',
+				'entity-encoded malicious script closer' => '&lt;/script&gt;',
+			),
+		);
+		$this->interactivity->config( 'myPlugin', array( 'chars' => '&<>/' ) );
 
 		$interactivity_data_markup = get_echo( array( $this->interactivity, 'print_client_interactivity_data' ) );
-		preg_match( '/<script type="application\/json" id="wp-interactivity-data">.*?(\{.*\}).*?<\/script>/s', $interactivity_data_markup, $interactivity_data_string );
+		preg_match( '~<script type="application/json" id="wp-interactivity-data">\s*(\{.*\})\s*</script>~s', $interactivity_data_markup, $interactivity_data_string );
+
+		$this->assertEquals(
+			<<<"JSON"
+{"config":{"myPlugin":{"chars":"&\\u003C\\u003E/"}},"state":{"myPlugin":{"ampersand":"&","less-than sign":"\\u003C","greater-than sign":"\\u003E","solidus":"/","line separator":"\u{2028}","paragraph separator":"\u{2029}","flag of england":"\u{1F3F4}\u{E0067}\u{E0062}\u{E0065}\u{E006E}\u{E0067}\u{E007F}","malicious script closer":"\\u003C/script\\u003E","entity-encoded malicious script closer":"&lt;/script&gt;"}}}
+JSON,
+			$interactivity_data_string[1]
+		);
+	}
+
+	/**
+	 * Tests that special characters in the initial state and configuration are
+	 * properly escaped when the blog_charset is not UTF-8 (unicode compatible).
+	 *
+	 * This this test, unicode and line terminators should be escaped to their
+	 * JSON unicode sequences.
+	 *
+	 * @ticket 61170
+	 *
+	 * @covers ::state
+	 * @covers ::config
+	 * @covers ::print_client_interactivity_data
+	 */
+	public function test_state_and_config_escape_special_characters_non_utf8() {
+		add_filter( 'pre_option_blog_charset', array( $this, 'charset_iso_8859_1' ) );
+		$this->interactivity->state(
+			'myPlugin',
+			array(
+				'ampersand'                              => '&',
+				'less-than sign'                         => '<',
+				'greater-than sign'                      => '>',
+				'solidus'                                => '/',
+				'line separator'                         => "\u{2028}",
+				'paragraph separator'                    => "\u{2029}",
+				'flag of england'                        => "\u{1F3F4}\u{E0067}\u{E0062}\u{E0065}\u{E006E}\u{E0067}\u{E007F}",
+				'malicious script closer'                => '</script>',
+				'entity-encoded malicious script closer' => '&lt;/script&gt;',
+			),
+		);
+		$this->interactivity->config( 'myPlugin', array( 'chars' => '&<>/' ) );
+
+		$interactivity_data_markup = get_echo( array( $this->interactivity, 'print_client_interactivity_data' ) );
+		preg_match( '~<script type="application/json" id="wp-interactivity-data">\s*(\{.*\})\s*</script>~s', $interactivity_data_markup, $interactivity_data_string );
 
 		$this->assertEquals(
-			'{"config":{"myPlugin":{"tags":"Tags: \u003C!-- \u003Cscript\u003E"}},"state":{"myPlugin":{"amps":"http:\/\/site.test\/?foo=1\u0026baz=2"}}}',
+			<<<"JSON"
+{"config":{"myPlugin":{"chars":"&\\u003C\\u003E/"}},"state":{"myPlugin":{"ampersand":"&","less-than sign":"\\u003C","greater-than sign":"\\u003E","solidus":"/","line separator":"\\u2028","paragraph separator":"\\u2029","flag of england":"\\ud83c\\udff4\\udb40\\udc67\\udb40\\udc62\\udb40\\udc65\\udb40\\udc6e\\udb40\\udc67\\udb40\\udc7f","malicious script closer":"\\u003C/script\\u003E","entity-encoded malicious script closer":"&lt;/script&gt;"}}}
+JSON,
 			$interactivity_data_string[1]
 		);
 	}

From f2b07eb648952f6ca7dbf127a12296cbd1401211 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Thu, 9 May 2024 12:12:06 +0200
Subject: [PATCH 07/11] Fix heredoc end

---
 .../interactivity-api/wpInteractivityAPI.php     | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php b/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
index 1a9932693a9b..0d9a442e1763 100644
--- a/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
+++ b/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
@@ -386,12 +386,10 @@ public function test_state_and_config_escape_special_characters() {
 		$interactivity_data_markup = get_echo( array( $this->interactivity, 'print_client_interactivity_data' ) );
 		preg_match( '~<script type="application/json" id="wp-interactivity-data">\s*(\{.*\})\s*</script>~s', $interactivity_data_markup, $interactivity_data_string );
 
-		$this->assertEquals(
-			<<<"JSON"
+		$expected = <<<"JSON"
 {"config":{"myPlugin":{"chars":"&\\u003C\\u003E/"}},"state":{"myPlugin":{"ampersand":"&","less-than sign":"\\u003C","greater-than sign":"\\u003E","solidus":"/","line separator":"\u{2028}","paragraph separator":"\u{2029}","flag of england":"\u{1F3F4}\u{E0067}\u{E0062}\u{E0065}\u{E006E}\u{E0067}\u{E007F}","malicious script closer":"\\u003C/script\\u003E","entity-encoded malicious script closer":"&lt;/script&gt;"}}}
-JSON,
-			$interactivity_data_string[1]
-		);
+JSON;
+		$this->assertEquals( $expected, $interactivity_data_string[1] );
 	}
 
 	/**
@@ -428,12 +426,10 @@ public function test_state_and_config_escape_special_characters_non_utf8() {
 		$interactivity_data_markup = get_echo( array( $this->interactivity, 'print_client_interactivity_data' ) );
 		preg_match( '~<script type="application/json" id="wp-interactivity-data">\s*(\{.*\})\s*</script>~s', $interactivity_data_markup, $interactivity_data_string );
 
-		$this->assertEquals(
-			<<<"JSON"
+		$expected = <<<"JSON"
 {"config":{"myPlugin":{"chars":"&\\u003C\\u003E/"}},"state":{"myPlugin":{"ampersand":"&","less-than sign":"\\u003C","greater-than sign":"\\u003E","solidus":"/","line separator":"\\u2028","paragraph separator":"\\u2029","flag of england":"\\ud83c\\udff4\\udb40\\udc67\\udb40\\udc62\\udb40\\udc65\\udb40\\udc6e\\udb40\\udc67\\udb40\\udc7f","malicious script closer":"\\u003C/script\\u003E","entity-encoded malicious script closer":"&lt;/script&gt;"}}}
-JSON,
-			$interactivity_data_string[1]
-		);
+JSON;
+		$this->assertEquals( $expected, $interactivity_data_string[1] );
 	}
 
 	/**

From 5c2d27321abd4fde88ce4a1261a41d5fa900b67e Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Thu, 9 May 2024 12:32:40 +0200
Subject: [PATCH 08/11] Remove bad function arg trailing comma

---
 tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php b/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
index 0d9a442e1763..557cc02d81bb 100644
--- a/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
+++ b/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
@@ -379,7 +379,7 @@ public function test_state_and_config_escape_special_characters() {
 				'flag of england'                        => "\u{1F3F4}\u{E0067}\u{E0062}\u{E0065}\u{E006E}\u{E0067}\u{E007F}",
 				'malicious script closer'                => '</script>',
 				'entity-encoded malicious script closer' => '&lt;/script&gt;',
-			),
+			)
 		);
 		$this->interactivity->config( 'myPlugin', array( 'chars' => '&<>/' ) );
 
@@ -419,7 +419,7 @@ public function test_state_and_config_escape_special_characters_non_utf8() {
 				'flag of england'                        => "\u{1F3F4}\u{E0067}\u{E0062}\u{E0065}\u{E006E}\u{E0067}\u{E007F}",
 				'malicious script closer'                => '</script>',
 				'entity-encoded malicious script closer' => '&lt;/script&gt;',
-			),
+			)
 		);
 		$this->interactivity->config( 'myPlugin', array( 'chars' => '&<>/' ) );
 

From b9cd850a5a9940700ac549e280c320ba21515c19 Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Thu, 9 May 2024 13:07:47 +0200
Subject: [PATCH 09/11] Add more details to comments

---
 .../class-wp-interactivity-api.php            | 39 +++++++++++++------
 1 file changed, 28 insertions(+), 11 deletions(-)

diff --git a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
index 656472c3870a..1c69ed25070d 100644
--- a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
+++ b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
@@ -169,27 +169,44 @@ public function print_client_interactivity_data() {
 		if ( ! empty( $interactivity_data ) ) {
 
 			/*
-			 * This data will be printed as JSON inside a script tag:
+			 * This data will be printed as JSON inside a script tag like this:
 			 *   <script type="application/json"></script>
-			 * A script tag must be closed by a sequence beginning with `</`. We ensure that
-			 * `<` is escaped and `/` can remain unescaped. `</script>` will be
-			 * printed as `\u003C/script\u00E3`.
+			 *
+			 * A script tag must be closed by a sequence beginning with `</`. It's impossible to
+			 * close a script tag without using `<`. We ensure that `<` is escaped and `/` can
+			 * remain unescaped, so `</script>` will be printed as `\u003C/script\u00E3`.
 			 *
 			 *   - JSON_HEX_TAG: All < and > are converted to \u003C and \u003E.
 			 *   - JSON_UNESCAPED_SLASHES: Don't escape /.
 			 *
-			 * @see https://www.php.net/manual/en/json.constants.php
+			 * @see https://www.php.net/manual/en/json.constants.php for details on these constants.
+			 * @see https://html.spec.whatwg.org/#script-data-state for details on script
+			 *      tag parsing.
 			 */
 			$json_encode_flags = JSON_HEX_TAG | JSON_UNESCAPED_SLASHES;
 			if ( 'UTF-8' === get_option( 'blog_charset' ) ) {
 				/*
-				 * If the page uses the UTF-8 charset unicode does not need to be escaped.
+				 * If the page will use UTF-8 encoding, it's safe to print unescaped unicode in
+				 * JSON. Set the following flags:
+				 *
+				 * - JSON_UNESCAPED_UNICODE: Encode multibyte Unicode characters literally
+				 *   (default is to escape as \uXXXX).
+				 * - JSON_UNESCAPED_LINE_TERMINATORS: The line terminators are kept unescaped when
+				 *   JSON_UNESCAPED_UNICODE is supplied. It uses the same behaviour as it was
+				 *   before PHP 7.1 without this constant. Available as of PHP 7.1.0.
+				 *
+				 * The JSON specification does not specify a character encoding, RFC-8259
+				 * suggests that UTF-8 be used everywhere. It's risky to print unicode if the page
+				 * uses any other encoding.
+				 *
+				 * > JSON text exchanged between systems that are not part of a closed ecosystem
+				 * > MUST be encoded using UTF-8. Previous specifications of JSON have not required
+				 * > the use of UTF-8 when transmitting JSON text.  However, the vast majority of
+				 * > JSON- based software implementations have chosen to use the UTF-8 encoding,
+				 * > to the extent that it is the only encoding that achieves interoperability.
+				 *
+				 * @see https://www.rfc-editor.org/rfc/rfc8259.html
 				 *
-				 *   - JSON_UNESCAPED_UNICODE: Encode multibyte Unicode characters literally
-				 *     (default is to escape as \uXXXX).
-				 *   - JSON_UNESCAPED_LINE_TERMINATORS: The line terminators are kept unescaped when
-				 *     JSON_UNESCAPED_UNICODE is supplied. It uses the same behaviour as it was
-				 *     before PHP 7.1 without this constant. Available as of PHP 7.1.0.
 				 */
 				$json_encode_flags |= JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_LINE_TERMINATORS;
 			}

From 8a7e4e0e92476e3cf83fa9b60e2f0cbe4757b35e Mon Sep 17 00:00:00 2001
From: Jon Surrell <sirreal@users.noreply.github.com>
Date: Fri, 10 May 2024 19:39:40 +0200
Subject: [PATCH 10/11] Remove redundant tear_down method.

Co-authored-by: Weston Ruter <westonruter@google.com>
---
 .../phpunit/tests/interactivity-api/wpInteractivityAPI.php | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php b/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
index 557cc02d81bb..3c2050cab38e 100644
--- a/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
+++ b/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php
@@ -27,13 +27,6 @@ public function set_up() {
 		$this->interactivity = new WP_Interactivity_API();
 	}
 
-	/**
-	 * Tear down.
-	 */
-	public function tear_down() {
-		remove_filter( 'pre_option_blog_charset', array( $this, 'charset_iso_8859_1' ) );
-	}
-
 	public function charset_iso_8859_1() {
 		return 'iso-8859-1';
 	}

From 7ecc709ec2a2b7b92cbf3dd943668bc40a68a041 Mon Sep 17 00:00:00 2001
From: Dennis Snell <dennis.snell@automattic.com>
Date: Tue, 14 May 2024 17:35:14 -0700
Subject: [PATCH 11/11] Rearrange comment and set UTF-8 as the normative
 encoding.

Previously, the flags were set as if UTF-8 were conditionally present,
but in most cases the blog character set will be UTF-8 and so flipping
the logic makes it clearer that this is a "happy path" and also remove
some logic that isn't necessary most of the time.

I've reworded and combined the comment explaining the flags to be more
specific about whey they are needed, and removed some discussions
about encodings that I thought muddied the important details.
---
 .../class-wp-interactivity-api.php            | 45 +++++++------------
 1 file changed, 16 insertions(+), 29 deletions(-)

diff --git a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
index e96879624548..ac9a48982a5c 100644
--- a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
+++ b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
@@ -167,7 +167,6 @@ public function print_client_interactivity_data() {
 		}
 
 		if ( ! empty( $interactivity_data ) ) {
-
 			/*
 			 * This data will be printed as JSON inside a script tag like this:
 			 *   <script type="application/json"></script>
@@ -179,36 +178,24 @@ public function print_client_interactivity_data() {
 			 *   - JSON_HEX_TAG: All < and > are converted to \u003C and \u003E.
 			 *   - JSON_UNESCAPED_SLASHES: Don't escape /.
 			 *
+			 * If the page will use UTF-8 encoding, it's safe to print unescaped unicode:
+			 *
+			 *   - JSON_UNESCAPED_UNICODE: Encode multibyte Unicode characters literally (instead of as `\uXXXX`).
+			 *   - JSON_UNESCAPED_LINE_TERMINATORS: The line terminators are kept unescaped when
+			 *     JSON_UNESCAPED_UNICODE is supplied. It uses the same behaviour as it was
+			 *     before PHP 7.1 without this constant. Available as of PHP 7.1.0.
+			 *
+			 * The JSON specification requires encoding in UTF-8, so if the generated HTML page
+			 * is not encoded in UTF-8 then it's not safe to include those literals. They must
+			 * be escaped to avoid encoding issues.
+			 *
+			 * @see https://www.rfc-editor.org/rfc/rfc8259.html for details on encoding requirements.
 			 * @see https://www.php.net/manual/en/json.constants.php for details on these constants.
-			 * @see https://html.spec.whatwg.org/#script-data-state for details on script
-			 *      tag parsing.
+			 * @see https://html.spec.whatwg.org/#script-data-state for details on script tag parsing.
 			 */
-			$json_encode_flags = JSON_HEX_TAG | JSON_UNESCAPED_SLASHES;
-			if ( 'UTF-8' === get_option( 'blog_charset' ) ) {
-				/*
-				 * If the page will use UTF-8 encoding, it's safe to print unescaped unicode in
-				 * JSON. Set the following flags:
-				 *
-				 * - JSON_UNESCAPED_UNICODE: Encode multibyte Unicode characters literally
-				 *   (default is to escape as \uXXXX).
-				 * - JSON_UNESCAPED_LINE_TERMINATORS: The line terminators are kept unescaped when
-				 *   JSON_UNESCAPED_UNICODE is supplied. It uses the same behaviour as it was
-				 *   before PHP 7.1 without this constant. Available as of PHP 7.1.0.
-				 *
-				 * The JSON specification does not specify a character encoding, RFC-8259
-				 * suggests that UTF-8 be used everywhere. It's risky to print unicode if the page
-				 * uses any other encoding.
-				 *
-				 * > JSON text exchanged between systems that are not part of a closed ecosystem
-				 * > MUST be encoded using UTF-8. Previous specifications of JSON have not required
-				 * > the use of UTF-8 when transmitting JSON text.  However, the vast majority of
-				 * > JSON- based software implementations have chosen to use the UTF-8 encoding,
-				 * > to the extent that it is the only encoding that achieves interoperability.
-				 *
-				 * @see https://www.rfc-editor.org/rfc/rfc8259.html
-				 *
-				 */
-				$json_encode_flags |= JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_LINE_TERMINATORS;
+			$json_encode_flags = JSON_HEX_TAG | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_LINE_TERMINATORS;
+			if ( ! is_utf8_charset() ) {
+				$json_encode_flags = JSON_HEX_TAG | JSON_UNESCAPED_SLASHES;
 			}
 
 			wp_print_inline_script_tag(