ESI predefined nonce wp_rest breaks JSON in wp_localize_script | ww.wp.xz.cn

Resolved faradei
(@faradei)

2 months ago
Hi,

The wp_rest nonce is included in the predefined ESI nonces list (data/esi.nonces.txt). When a plugin outputs this nonce inside a wp_localize_script() call, ESI replaces it with an HTML comment block — which breaks the entire JSON object and causes a JavaScript SyntaxError:

js
```
var myData = {"restNonce":"","otherKey":"value"}
// Uncaught SyntaxError: Invalid or unexpected token
```
This affects any plugin/theme that embeds wp_rest nonce via wp_localize_script (e.g. Bricks Builder).

The problem is that ESI replacement doesn’t distinguish between nonces in HTML context (safe to replace) and nonces inside JavaScript strings (breaks JSON parsing).

Suggestion: Could LiteSpeed detect when a nonce appears inside a <script> tag / wp_localize_script output and either skip ESI replacement in that context, or use a JS-safe replacement instead of HTML comments?

Currently the only workaround is removing wp_rest via the litespeed_esi_nonces filter, which disables ESI for that nonce entirely.

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Support litetim
(@litetim)

2 months ago

@faradei clearing cache would fix the issue?

Thread Starter faradei
(@faradei)

2 months ago

Hi @litetim,

Yes, clearing the cache does fix the issue, but only temporarily.

As soon as the cache is rebuilt and ESI kicks in again, the problem returns. LiteSpeed will once again replace the wp_rest nonce with the HTML comment () inside the JS object.

Plugin Support qtwrk
(@qtwrk)

2 months ago

I got an idea, could you please provide the report number and let me to verify a bit the conf ?

you can get it in toolbox -> report -> click “send to LiteSpeed”

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

3 replies
3 participants
Last reply from: qtwrk
Last activity: 2 months ago
Status: resolved