Changes between Version 6 and Version 7 of Ticket #39941, comment 28
- Timestamp:
- 03/21/2019 05:06:52 PM (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #39941, comment 28
v6 v7 12 12 >Plugin Developer A writes a plugin that templates JavaScript. To do this he uses the proposed function to generate nonces. However, the way the JavaScript in question is templated by the PHP of his plugin changes depending on user input and the developer fails to properly sanitize that input (this is a bog standard XSS scenario). 13 13 > 14 >Without this patch the site operator would have to configure a CSP with unsafe-inline. The user and the user's client could therefore be warned of the risk of XSS when using said plugin. As CSP is adopted more and more eventually Google, Mozilla, Microsoft, Apple and the rest of the browser developers could add unsafe-inline to the warnings shown in the address bar specifically to let themknow when they are at risk of having their personally identifiable information exposed.14 >Without this patch the site operator would have to configure a CSP with unsafe-inline. The user and the user's client could therefore be warned of the risk of XSS when using said plugin. As CSP is adopted more and more eventually Google, Mozilla, Microsoft, Apple and the rest of the browser developers could add unsafe-inline to the warnings shown in the address bar specifically to let users know when they are at risk of having their personally identifiable information exposed. 15 15 > 16 16 >With this patch, however, a malicious user could input specially formatted code intended to perform XSS into the poorly sanitized inputs, and your proposed patch would ensure that the user and the user's browser was told that this XSS code is trustworthy. And, as CSP is adopted more and more... when browser developers make the switch to warning users WordPress sites will be lying to the user about their level of risk.