[wp-meta] [Making WordPress.org] #3230: submitting HTML to the plugin readme validator causes Chrome to ERR_BLOCKED_BY_XSS_AUDITOR

Making WordPress.org noreply at wordpress.org
Thu Oct 26 23:26:50 UTC 2017


#3230: submitting HTML to the plugin readme validator causes Chrome to
ERR_BLOCKED_BY_XSS_AUDITOR
------------------------------+-----------------
 Reporter:  benlk             |      Owner:
     Type:  defect            |     Status:  new
 Priority:  normal            |  Milestone:
Component:  Plugin Directory  |   Keywords:
------------------------------+-----------------
 After discussion on HackerOne (ticket
 [https://hackerone.com/bugs?report_id=277012 277012]), @ocean90 and
 @johnbillion determined that meta.trac.wordpress.org is the proper venue
 for reporting this bug.

 https://wordpress.org/plugins/developers/readme-validator/ has a feature
 that allows users to paste in the contents of a readme.txt file for
 validation. Upon submission, the user is sent to a page that contains an
 evaluation of the pasted text and the pasted text as the value of a
 textarea.

 If the submitted text contains unescaped HTML, Chrome will refuse to
 display the page, giving a ERR_BLOCKED_BY_XSS_AUDITOR page. In the Chrome
 dev tools console, the following information is provided:

 > The XSS Auditor blocked access to
 'https://wordpress.org/plugins/developers/readme-validator/' because the
 source code of a script was found within the request. The auditor was
 enabled as the server did not send an 'X-XSS-Protection' header.

 If the submitted text is resubmitted with all HTML tags removed, Chrome
 does not trip that error. Firefox and Safari didn't complain for either
 submission; I haven't yet tested with any version of IE. This looks like a
 Blink-specific feature that detects HTML in the response that matches HTML
 in the POST.

 The error is not caused by the presence of valid PHP code on the page.

 The text that was pasted, causing this error, can be found in
 https://raw.githubusercontent.com/INN/news-match-popup-
 plugin/f1ba1d3521985255657b2f6a31b71d8f66d20823/readme.txt

 The Chrome version in question was 61.0.3163.100 on OSX

 In response to the HackerOne filing, @ocean90 wrote:

 > Hello @benlk, thanks for your report. This looks like a false positive.
 The code for the validator can be found here
 https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html
 /wp-content/plugins/plugin-directory/shortcodes/class-readme-
 validator.php?rev=5333&marks=32#L7. The input is escaped with
 esc_textarea().

 I replied noting that it didn't affect Safari or Firefox, and added:

 > Would you consider adding the `X-XSS-Protection` header to the page, and
 setting its value to `0` to disable the XSS auditor on this page? I'm not
 sure if it would work on that page because of how the validator is
 implemented as a shortcode, though.

--
Ticket URL: <https://meta.trac.wordpress.org/ticket/3230>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org


More information about the wp-meta mailing list