Make WordPress Core

Opened 15 months ago

Last modified 15 months ago

#58765 new enhancement

the_block_template_skip_link() - XSS vulnerability - Apply FIX

Reported by: micromadness's profile micromadness Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.8
Component: Security Keywords: has-patch
Focuses: Cc:

Description (last modified by sabernhardt)

Dear people at WordPress,

I have already reported this problem on HackerOne, it has been reviewed by a member of the WordPress security team, and they asked me to publish the issue here.

Issue:

I would like to implement on my website the CSP (Content Security Policy): require-trusted-types-for ‘script’;

If I do it, I get the following error message in the browser Console:
“This document requires TrustedHTML assignment”
because “innerHTML” is used in this script: the_block_template_skip_link()

Impact
DOM XSS

FIX: in the script, replace "innerHTML" with "innerText" and the skiplink will still work.

I have done that on my own homepage:
remove_action( 'wp_footer', 'the_block_template_skip_link' );

and then I have added the skiplink again, replacing "innerHTML" with "innerText" in the script.

The code works (used theme: Twenty Twenty-Three).

Attachments (1)

58765.diff (761 bytes) - added by sabernhardt 15 months ago.
switches innerHTML to innerText, adds to translator comment

Download all attachments as: .zip

Change History (3)

#1 @micromadness
15 months ago

Alternative solution:

Use a policy which can create TrustedHTML.

This would allow all WordPress users to implement the Content Security Policy (CSP) require-trusted-types-for ‘script’;

also if they use scripts which need "innerHTML".

@sabernhardt
15 months ago

switches innerHTML to innerText, adds to translator comment

#2 @sabernhardt
15 months ago

  • Description modified (diff)
  • Keywords has-patch added; changes-requested removed
  • Version changed from 6.2.2 to 5.8

Hi and thanks for the report!

innerText would not work with HTML entities, but I did not find any in the 93 existing translations (see "Other locales" tab). The translator comment could let people know to avoid them for any future translations.

Note: See TracTickets for help on using tickets.