Sidebars API - XSS or not XSS?

[adamziel]

Let's talk about the experimental /__experimental/sidebars API endpoint.

As initially discovered in an unrelated issue, it is possible to send a POST request like:

$request = new WP_REST_Request( 'POST', '/__experimental/sidebars/sidebar-1' );
$request->set_body_params(
	array(
		'widgets' => array(
			array(
				'id'           => 'text-1',
				'settings'     => array(
					'text' => '<script>alert(1)</script>',
				),
			),
		),
	)
);

And store a script that will be executed when the widget is rendered.

Initially I considered it to be a vulnerability, but then I tested widgets.php and discovered it exhibits the exact same behavior. That's perhaps unsurprising, considering that experimental endpoint reuses the exact same code:

	$_POST[ $field ][ $number ] = wp_slash( $input_widget['settings'] );
	call_user_func( $update_control['callback'] );

The endpoint access is restricted to administrators and editors who, by design, are allowed to use custom scripts. Therefore it seems to me like it's not a bug, it's a feature. What do you think @draganescu @noisysocks @TimothyBJacobs ?

[aristath]

The endpoint access is restricted to administrators and authors who, by design, are allowed to use custom scripts. Therefore it seems to me like it's not a bug, it's a feature

I'd have to agree with that assessment... The people that can use this are the people than should be able to use it.

[TimothyBJacobs]

Is this the built in text widget?

[adamziel]

@TimothyBJacobs it is

[draganescu]

Looks like a feature :)

[adamziel]

Before concluding this issue I will confirm whether or not unfiltered_html has an effect here.

[adamziel]

It does, we're good to close this issue. I prepared some related unit tests in #24886