[wp-meta] [Making WordPress.org] #3230: submitting HTML to the plugin readme validator causes Chrome to ERR_BLOCKED_BY_XSS_AUDITOR
Making WordPress.org
noreply at wordpress.org
Thu Oct 26 23:26:50 UTC 2017
#3230: submitting HTML to the plugin readme validator causes Chrome to
ERR_BLOCKED_BY_XSS_AUDITOR
------------------------------+-----------------
Reporter: benlk | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Plugin Directory | Keywords:
------------------------------+-----------------
After discussion on HackerOne (ticket
[https://hackerone.com/bugs?report_id=277012 277012]), @ocean90 and
@johnbillion determined that meta.trac.wordpress.org is the proper venue
for reporting this bug.
https://wordpress.org/plugins/developers/readme-validator/ has a feature
that allows users to paste in the contents of a readme.txt file for
validation. Upon submission, the user is sent to a page that contains an
evaluation of the pasted text and the pasted text as the value of a
textarea.
If the submitted text contains unescaped HTML, Chrome will refuse to
display the page, giving a ERR_BLOCKED_BY_XSS_AUDITOR page. In the Chrome
dev tools console, the following information is provided:
> The XSS Auditor blocked access to
'https://wordpress.org/plugins/developers/readme-validator/' because the
source code of a script was found within the request. The auditor was
enabled as the server did not send an 'X-XSS-Protection' header.
If the submitted text is resubmitted with all HTML tags removed, Chrome
does not trip that error. Firefox and Safari didn't complain for either
submission; I haven't yet tested with any version of IE. This looks like a
Blink-specific feature that detects HTML in the response that matches HTML
in the POST.
The error is not caused by the presence of valid PHP code on the page.
The text that was pasted, causing this error, can be found in
https://raw.githubusercontent.com/INN/news-match-popup-
plugin/f1ba1d3521985255657b2f6a31b71d8f66d20823/readme.txt
The Chrome version in question was 61.0.3163.100 on OSX
In response to the HackerOne filing, @ocean90 wrote:
> Hello @benlk, thanks for your report. This looks like a false positive.
The code for the validator can be found here
https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html
/wp-content/plugins/plugin-directory/shortcodes/class-readme-
validator.php?rev=5333&marks=32#L7. The input is escaped with
esc_textarea().
I replied noting that it didn't affect Safari or Firefox, and added:
> Would you consider adding the `X-XSS-Protection` header to the page, and
setting its value to `0` to disable the XSS auditor on this page? I'm not
sure if it would work on that page because of how the validator is
implemented as a shortcode, though.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/3230>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list