WordPress.org

Making WordPress.org

Opened 7 weeks ago

#3230 new defect

submitting HTML to the plugin readme validator causes Chrome to ERR_BLOCKED_BY_XSS_AUDITOR

Reported by: benlk Owned by:
Milestone: Priority: normal
Component: Plugin Directory Keywords:
Cc:

Description

After discussion on HackerOne (ticket 277012), @ocean90 and @johnbillion determined that meta.trac.wordpress.org is the proper venue for reporting this bug.

https://wordpress.org/plugins/developers/readme-validator/ has a feature that allows users to paste in the contents of a readme.txt file for validation. Upon submission, the user is sent to a page that contains an evaluation of the pasted text and the pasted text as the value of a textarea.

If the submitted text contains unescaped HTML, Chrome will refuse to display the page, giving a ERR_BLOCKED_BY_XSS_AUDITOR page. In the Chrome dev tools console, the following information is provided:

The XSS Auditor blocked access to 'https://wordpress.org/plugins/developers/readme-validator/' because the source code of a script was found within the request. The auditor was enabled as the server did not send an 'X-XSS-Protection' header.

If the submitted text is resubmitted with all HTML tags removed, Chrome does not trip that error. Firefox and Safari didn't complain for either submission; I haven't yet tested with any version of IE. This looks like a Blink-specific feature that detects HTML in the response that matches HTML in the POST.

The error is not caused by the presence of valid PHP code on the page.

The text that was pasted, causing this error, can be found in https://raw.githubusercontent.com/INN/news-match-popup-plugin/f1ba1d3521985255657b2f6a31b71d8f66d20823/readme.txt

The Chrome version in question was 61.0.3163.100 on OSX

In response to the HackerOne filing, @ocean90 wrote:

Hello @benlk, thanks for your report. This looks like a false positive.

The code for the validator can be found here https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-readme-validator.php?rev=5333&marks=32#L7. The input is escaped with esc_textarea().

I replied noting that it didn't affect Safari or Firefox, and added:

Would you consider adding the X-XSS-Protection header to the page, and setting its value to 0 to disable the XSS auditor on this page? I'm not sure if it would work on that page because of how the validator is implemented as a shortcode, though.

Change History (0)

Note: See TracTickets for help on using tickets.