Updates fix for stored cross-site scripting from 0.90.0, now applied to all tags. #526
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
klemens-st
approved these changes
Dec 16, 2024
There was a problem hiding this comment.
Yes, this is not a major threat as discussed before.
I honestly think nobody uses LCP with script as tag so we can remove it. If anybody asks to put it back we can add the option you mentioned and make it available for users above Contributor, because all these supposed security threats arise from the fact Contributors can use shortcodes but cannot use <script>.
Comment on lines
+32
to
+40
| # Security vulnerability fix for Stored Cross-Site Scripting | ||
| # If a field stores some malicious JavaScript, it could be displayed with the 'script' tag, so | ||
| # that tag needs to be excluded. | ||
| # e.g. If a post has this excerpt: alert(/XSS/) another post could use: | ||
| # [catlist excerpt_tag='script' excerpt=yes] | ||
| # and the XSS would be triggered. | ||
| if ( $tag == 'script' ) { | ||
| $tag = null; | ||
| } |
There was a problem hiding this comment.
I think it's a matter of preference (or style) which method this should belong to and it's perfectly fine to have it here.
|
Thank you @klemens-st! |
…to all tags. Bumps version to 0.90.2
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bumps version to 0.90.2
@klemens-st Another way to trigger an XSS with
scriptwas reported for different fields. As we've talked before, the vulnerabilites are present when WordPress has already been compromised, since the malintentioned user would need permision to publish content on the system to trigger them. But if it helps keeping a site safer, then why not... 🤷Ideally I think it's up to the users to use or not use
<script>with the plugin, so eventually we could make this optional (warning the users they should really know what they're doing if they want to allow it). But I think it's also ok not to support thescripttag.I think this is the best place in the code to remove support for
<script>since it's the functionwrapuses, and the timesto_htmlis used in other places seems to be safe. Let me know what you think.