Making WordPress.org

Opened 5 months ago

Closed 8 weeks ago

#3230 closed defect (fixed)

submitting HTML to the plugin readme validator causes Chrome to ERR_BLOCKED_BY_XSS_AUDITOR

Reported by: benlk Owned by: obenland
Milestone: Priority: normal
Component: Plugin Directory Keywords:


After discussion on HackerOne (ticket 277012), @ocean90 and @johnbillion determined that meta.trac.wordpress.org is the proper venue for reporting this bug.

https://wordpress.org/plugins/developers/readme-validator/ has a feature that allows users to paste in the contents of a readme.txt file for validation. Upon submission, the user is sent to a page that contains an evaluation of the pasted text and the pasted text as the value of a textarea.

If the submitted text contains unescaped HTML, Chrome will refuse to display the page, giving a ERR_BLOCKED_BY_XSS_AUDITOR page. In the Chrome dev tools console, the following information is provided:

The XSS Auditor blocked access to 'https://wordpress.org/plugins/developers/readme-validator/' because the source code of a script was found within the request. The auditor was enabled as the server did not send an 'X-XSS-Protection' header.

If the submitted text is resubmitted with all HTML tags removed, Chrome does not trip that error. Firefox and Safari didn't complain for either submission; I haven't yet tested with any version of IE. This looks like a Blink-specific feature that detects HTML in the response that matches HTML in the POST.

The error is not caused by the presence of valid PHP code on the page.

The text that was pasted, causing this error, can be found in https://raw.githubusercontent.com/INN/news-match-popup-plugin/f1ba1d3521985255657b2f6a31b71d8f66d20823/readme.txt

The Chrome version in question was 61.0.3163.100 on OSX

In response to the HackerOne filing, @ocean90 wrote:

Hello @benlk, thanks for your report. This looks like a false positive.

The code for the validator can be found here https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-readme-validator.php?rev=5333&marks=32#L7. The input is escaped with esc_textarea().

I replied noting that it didn't affect Safari or Firefox, and added:

Would you consider adding the X-XSS-Protection header to the page, and setting its value to 0 to disable the XSS auditor on this page? I'm not sure if it would work on that page because of how the validator is implemented as a shortcode, though.

Change History (1)

#1 @obenland
8 weeks ago

  • Owner set to obenland
  • Resolution set to fixed
  • Status changed from new to closed

In 6479:

Plugins: Encode readme data before submitting it

Props benlk.
Fixes #3230.

Note: See TracTickets for help on using tickets.