[wp-trac] [WordPress Trac] #54893: wp_set_script_translations() accepts and evaluates <script> tag included in JSON
WordPress Trac
noreply at wordpress.org
Mon Jan 24 16:01:58 UTC 2022
#54893: wp_set_script_translations() accepts and evaluates <script> tag included in
JSON
------------------------------+-----------------------------
Reporter: Takahashi_Fumiki | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords: needs-patch
Focuses: javascript |
------------------------------+-----------------------------
**NOTE**
> This ticket is **already posted at May 22nd 2020 to hackerone.com**
`#880749` and reviewed by the security team.
> I've created this ticket for public hardening under their instruction.
== Description:
`wp_set_script_translations` is a function that provides translation
strings for [@wordpress/i18n](https://developer.wordpress.org/block-
editor/packages/packages-i18n/) library. The JSON will be output just
before the targeted script without checking the string `<script>` in JSON
file. As a result, a cracker can inject and execute any JavaScript.
== Steps To Reproduce:
1. Create a small plugin or theme which uses `my-script.js` and using
domain `my-theme`.
1. Create `my-theme.pot` and translate it in `ja.po` which includes string
like `</script><script>alert('Hacked!')<script>` .
1. Convert `ja.po` to JSON `my-theme-ja-my-script.json` via jed
https://www.npmjs.com/package/jed
1. Execute `wp_set_script_translations( 'my-script', 'my-theme',
get_template_directory() . '/languages' )`
1. Enqueue `my-script.js` in anywhere in the site.
=== my-theme/functions.php
{{{
<?php
/**
* Theme's bootstrap file.
*/
// Enqueue script.
add_action( 'wp_enqueue_script', function() {
wp_enqueue_script( 'my-script', get_theme_file( 'my-script.js' ), [
'jquery', 'wp-i18n' ], '1.0.0', true );
wp_set_script_translation( 'my-script', ''my-theme',
get_template_directory() . '/languages' );
} );
}}}
=== my-theme/my-script.js
{{{
/**
* JavaScript utility for the theme.
*/
const { __ } = wp.i18n;
const $ = jQuery;
$( '.button' ).click( function() {
$.doSomething().then( () => {
display( __( 'Thank you so much!', 'my-theme' ) );
} );
} );
}}}
=== my-theme/languages/my-theme-ja-my-script.json
{{{
{
"domain":"messages",
"locale_data":{
"messages":{
"":{
"domain":"messages",
"plural_forms":"nplurals=1; plural=0;",
"lang":"ja"
},
"Thank you so much!":["ありがとうございます!
</script><script>alert('You are hacked!')</script>"],
}
}
}
}}}
== Recommendations
Escape JSON string `</script>`
== Impact
* Attackers can inject any JavaScript code they like.
* Translation files can be provided from 3rd party(e.g. voluntary
contributors), but hard to detect it's correct or not because they are
written in foreign languages for the original authors.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54893>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list