fix(security): patch DOM-based XSS in bundled Featherlight (CVE-2024-5667)#80
Open
cpalexh wants to merge 3 commits into
Open
fix(security): patch DOM-based XSS in bundled Featherlight (CVE-2024-5667)#80cpalexh wants to merge 3 commits into
cpalexh wants to merge 3 commits into
Conversation
…5667) Harden the Featherlight content filters so attacker-controlled attribute values (href, data-featherlight) can no longer execute script: - image: assign the URL via .attr('src', url) instead of concatenating it into markup, preventing attribute breakout - jquery: resolve via $(document).find(elem) so strings are treated as selectors, never parsed as HTML - html: sanitize parsed markup, stripping inline event handlers, javascript: URLs and <script> tags Applied to all served files (vendor sources + packed bundles). Bumps version to 1.3.5 (also busts the script enqueue cache). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
addCaptions() assigned caption markup via innerHTML (caption.html()), which executes inline event handlers (e.g. <img onerror>) and other script when a caption contains raw HTML. Parse the caption with $.parseHTML (keepScripts=false) and strip on* handlers and javascript: URLs before appending, matching the html content-filter hardening. Applied to the source (assets/plugin/js) and all built/minified bundles. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The CVE-2024-5667 content-filter hardening is retained in the packed bundles (wpFeatherlight.pkgd[.min].js) that WordPress actually enqueues by default. The standalone js/vendor/featherlight[.min].js copies are restored to upstream to keep the third-party library unmodified. Note: in SCRIPT_DEBUG/unpacked mode the unmodified vendor file loads, so that mode is not hardened; and a grunt rebuild regenerates the bundles from vendor and would drop the fix. Patch the dependency to make it durable. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Patches CVE-2024-5667 — an authenticated (Contributor+) stored DOM-based XSS via the bundled Featherlight library. Upstream Featherlight has no release that fixes this, so the bundled copy is hardened directly.
The Featherlight content filters turned attacker-controllable attribute values (
href,data-featherlight) into live DOM. Three sinks are addressed:<img>was built by string-concatenating the URL ($('<img src="'+url+'" …/>')), allowing attribute breakout. Because the plugin auto-tags any image-extensionhrefwithdata-featherlight="image", a stored href likex" onerror="alert(1)".jpgexecuted. Now the URL is assigned via.attr('src', url).$(elem)parsed selector strings containing<…>as HTML. Now resolved via$(document).find(elem), so input is only ever treated as a selector.$(html)rendered raw attacker markup. Now parsed with$.parseHTML(html, document, false)(drops<script>) and sanitized to strip inline event handlers (on*) andjavascript:URLs.Changes
js/vendor/featherlight.js,js/vendor/featherlight.min.js,js/wpFeatherlight.pkgd.js,js/wpFeatherlight.pkgd.min.js(the last is the default production bundle).1.3.4→1.3.5(wp-featherlight.php,includes/class-plugin.php,readme.txt) — this also busts the script enqueue cache so clients fetch the patched JS.CHANGELOG.mdandreadme.txt.Note for maintainers
grunt build:jscopies Featherlight fromnode_modules/featherlight/src/intojs/vendor/and regenerates the.pkgdbundles, so a rebuild will overwrite this patch. To keep the fix durable, the dependency itself should be patched (e.g. patch-package, a pinned fork, or a post-build step). The shipped files were edited directly since no build toolchain is required to verify the fix.Testing
onerror/onload/ONCLICKand tab-obfuscatedjavascript:URLs while preservingsrc,alt,class, safehref, anddata-*attributes.🤖 Generated with Claude Code