[wp-trac] [WordPress Trac] #54893: wp_set_script_translations() accepts and evaluates <script> tag included in JSON
WordPress Trac
noreply at wordpress.org
Mon Jan 24 20:21:49 UTC 2022
#54893: wp_set_script_translations() accepts and evaluates <script> tag included in
JSON
------------------------------+------------------------------
Reporter: Takahashi_Fumiki | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: needs-patch | Focuses: javascript
------------------------------+------------------------------
Comment (by kittmedia):
Replying to [comment:3 juliobox]:
> It sounds like a simple i18n check for me.
> If we agree that this is a vulnerability, so, `__()` also contains the
same one.
> `__( 'hello', 'myplugin' )`
> Will be translated as "**salut<script>alert(/xss/)</script>**" in my
french translation file `.mo`
> So now, we're on the same boat… or not?
I think the difference here is that, in PHP, you have sanitizing functions
for this like `esc_html__()` but for script translations, you don’t.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54893#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list