[wp-trac] [WordPress Trac] #58765: the_block_template_skip_link() - XSS vulnerability - Apply FIX
WordPress Trac
noreply at wordpress.org
Sat Jul 8 12:07:38 UTC 2023
#58765: the_block_template_skip_link() - XSS vulnerability - Apply FIX
--------------------------+-------------------------------
Reporter: micromadness | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 6.2.2
Severity: normal | Keywords: changes-requested
Focuses: |
--------------------------+-------------------------------
Dear people at WordPress,
I have already reported this problem on HackerOne, it has been reviewed by
a member of the WordPress security team, and they asked me to publish the
issue here.
Issue:
I would like to implement on my website the CSP (Content Security Policy):
require-trusted-types-for ‘script’;
If I do it, I get the following error message in the browser Console:
“This document requires TrustedHTML assignment”
because “innerHTML” is used in this script: the_block_template_skip_link()
Impact
DOM XSS
FIX: in the script, replace "innerHTML" with "innerText" and the skiplink
will still work.
I have done that on my own homepage:
remove_action( 'wp_footer', 'the_block_template_skip_link' );
and then I have added the skiplink again, replacing "innerHTML" with
"innerTEXT" in the script.
The code works (used theme: Twenty Twenty-Three).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58765>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list