[wp-trac] [WordPress Trac] #54893: wp_set_script_translations() accepts and evaluates <script> tag included in JSON

WordPress Trac noreply at wordpress.org
Mon Jan 24 20:21:49 UTC 2022


#54893: wp_set_script_translations() accepts and evaluates <script> tag included in
JSON
------------------------------+------------------------------
 Reporter:  Takahashi_Fumiki  |       Owner:  (none)
     Type:  defect (bug)      |      Status:  new
 Priority:  normal            |   Milestone:  Awaiting Review
Component:  General           |     Version:
 Severity:  normal            |  Resolution:
 Keywords:  needs-patch       |     Focuses:  javascript
------------------------------+------------------------------

Comment (by kittmedia):

 Replying to [comment:3 juliobox]:
 > It sounds like a simple i18n check for me.
 > If we agree that this is a vulnerability, so, `__()` also contains the
 same one.
 > `__( 'hello', 'myplugin' )`
 > Will be translated as "**salut<script>alert(/xss/)</script>**" in my
 french translation file `.mo`
 > So now, we're on the same boat… or not?

 I think the difference here is that, in PHP, you have sanitizing functions
 for this like `esc_html__()` but for script translations, you don’t.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54893#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list