[wp-trac] [WordPress Trac] #58765: the_block_template_skip_link() - XSS vulnerability - Apply FIX

WordPress Trac noreply at wordpress.org
Sat Jul 8 15:25:45 UTC 2023 

#58765: the_block_template_skip_link() - XSS vulnerability - Apply FIX
--------------------------+------------------------------
 Reporter:  micromadness  |       Owner:  (none)
     Type:  enhancement   |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Security      |     Version:  5.8
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+------------------------------
Changes (by sabernhardt):

 * keywords:  changes-requested => has-patch
 * version:  6.2.2 => 5.8


Old description:

> Dear people at WordPress,
>
> I have already reported this problem on HackerOne, it has been reviewed
> by a member of the WordPress security team, and they asked me to publish
> the issue here.
>
> Issue:
>
> I would like to implement on my website the CSP (Content Security
> Policy): require-trusted-types-for ‘script’;
>
> If I do it, I get the following error message in the browser Console:
> “This document requires TrustedHTML assignment”
> because “innerHTML” is used in this script:
> the_block_template_skip_link()
>
> Impact
> DOM XSS
>
> FIX: in the script, replace "innerHTML" with "innerText" and the skiplink
> will still work.
>
> I have done that on my own homepage:
> remove_action( 'wp_footer', 'the_block_template_skip_link' );
>
> and then I have added the skiplink again, replacing "innerHTML" with
> "innerTEXT" in the script.
>
> The code works (used theme: Twenty Twenty-Three).

New description:

 Dear people at WordPress,

 I have already reported this problem on HackerOne, it has been reviewed by
 a member of the WordPress security team, and they asked me to publish the
 issue here.

 Issue:

 I would like to implement on my website the CSP (Content Security Policy):
 require-trusted-types-for ‘script’;

 If I do it, I get the following error message in the browser Console:
 “This document requires TrustedHTML assignment”
 because “innerHTML” is used in this script:
 `the_block_template_skip_link()`

 Impact
 DOM XSS

 FIX: in the script, replace "innerHTML" with "innerText" and the skiplink
 will still work.

 I have done that on my own homepage:
 `remove_action( 'wp_footer', 'the_block_template_skip_link' );`

 and then I have added the skiplink again, replacing "innerHTML" with
 "innerText" in the script.

 The code works (used theme: Twenty Twenty-Three).

--

Comment:

 Hi and thanks for the report!

 `innerText` would not work with HTML entities, but I did not find any in
 the 93 [https://translate.wordpress.org/projects/wp/dev/en-
 gb/default/?filters%5Boriginal_id%5D=2486 existing translations] (see
 "Other locales" tab). The translator comment could let people know to
 avoid them for any future translations.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58765#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list