woocommerce bug breaking usage guidelines and CSP

  • Max

    (@dobermanlife)


    1 year ago

    includes/wc-template-functions.php is printing an inline <script tag (usually a no-no) without calling the correct wordpress function to filter it (wp_print_script_tag), which prevents adding a unique nonce attribute to the script on each request, breaking Content Security Policy.

    I’d send a pull request, … but you know. CVS.

    The following code on includes/wc-template-functions.php line 355 is incorrect:

    function wc_no_js() {
    ?>
    <script type="text/javascript">
    (function () { ...
    })();
    </script>
    <?php
    }

    Automattic programming standards, it should be:

    function wc_no_js() {
    wp_print_script_tag([]);
    ?>
    (function () { ...
    })();
    </script>
    <?php
    }

    Making this change will allow woocommerce users to implement a secure Content Security Policy using existing WordPress standards. Thanks for reading, I hope this change makes it to the repo soon!

Viewing 1 replies (of 1 total)
  • Plugin Support Shameem R. a11n

    (@shameemreza)

    Hi @dobermanlife

    We appreciate your time and effort in identifying this issue and for suggesting a solution. It’s users like you who help us keep our plugin secure and efficient.

    You’re absolutely right. The use of an inline script tag without the correct WordPress function (wp_print_script_tag) can indeed hinder the implementation of a secure Content Security Policy.

    We understand the importance of adhering to Automattic programming standards, and your proposed code change seems to align with these standards. I suggest you create an issue on GitHub so our development team can dive in and take a closer look.

    We can’t promise an immediate change as all updates need to go through a rigorous process of testing and validation, but we assure you that your suggestion will be given serious consideration.

    Once again, thank you for your valuable input. We appreciate your contribution to making WooCommerce a safer and more secure platform.

Viewing 1 replies (of 1 total)
  • The topic ‘woocommerce bug breaking usage guidelines and CSP’ is closed to new replies.