Opened 15 months ago
Last modified 15 months ago
#58765 new enhancement
the_block_template_skip_link() - XSS vulnerability - Apply FIX
Reported by: | micromadness | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.8 |
Component: | Security | Keywords: | has-patch |
Focuses: | Cc: |
Description (last modified by )
Dear people at WordPress,
I have already reported this problem on HackerOne, it has been reviewed by a member of the WordPress security team, and they asked me to publish the issue here.
Issue:
I would like to implement on my website the CSP (Content Security Policy): require-trusted-types-for ‘script’;
If I do it, I get the following error message in the browser Console:
“This document requires TrustedHTML assignment”
because “innerHTML” is used in this script: the_block_template_skip_link()
Impact
DOM XSS
FIX: in the script, replace "innerHTML" with "innerText" and the skiplink will still work.
I have done that on my own homepage:
remove_action( 'wp_footer', 'the_block_template_skip_link' );
and then I have added the skiplink again, replacing "innerHTML" with "innerText" in the script.
The code works (used theme: Twenty Twenty-Three).
Attachments (1)
Change History (3)
#2
@
15 months ago
- Description modified (diff)
- Keywords has-patch added; changes-requested removed
- Version changed from 6.2.2 to 5.8
Hi and thanks for the report!
innerText
would not work with HTML entities, but I did not find any in the 93 existing translations (see "Other locales" tab). The translator comment could let people know to avoid them for any future translations.
Alternative solution:
Use a policy which can create TrustedHTML.
This would allow all WordPress users to implement the Content Security Policy (CSP) require-trusted-types-for ‘script’;
also if they use scripts which need "innerHTML".