rspec/rules/S6348/php/rule.adoc

By default, the WordPress administrator and editor roles can add unfiltered HTML content in various places, such as post content. This includes the capability to add JavaScript code. 

If an account with such a role gets hijacked, this capability can be used to plant malicious JavaScript code that gets executed whenever somebody visits the website.

== Ask Yourself Whether

* You really need the possibility to add unfiltered HTML with editor or administrator roles.
* There's a chance that the accounts of authorized users get compromised.

There is a risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

The `unfiltered_html` capability should be granted to trusted roles that need to use markup when publishing dynamic content to the WordPress website. If this capability is not required for all users, including administrators and editors roles, then it's recommended to set `DISALLOW_UNFILTERED_HTML` to `true`.

== Sensitive Code Example

[source,php]
----
define( 'DISALLOW_UNFILTERED_HTML', false ); // sensitive
----

== Compliant Solution

[source,php]
----
define( 'DISALLOW_UNFILTERED_HTML', true );
----

== See

* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
Create rule S6348: Allowing unfiltered HTML content in WordPress is security-sensitive (#247) * Create rule S6348 * Title and type * Description * Address review suggestions Co-authored-by: karim-ouerghemmi-sonarsource <karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <64004037+karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <karim.ouerghemmi@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-08-13 14:31:32 +00:00			`By default, the WordPress administrator and editor roles can add unfiltered HTML content in various places, such as post content. This includes the capability to add JavaScript code.`

			`If an account with such a role gets hijacked, this capability can be used to plant malicious JavaScript code that gets executed whenever somebody visits the website.`

			`== Ask Yourself Whether`

			`* You really need the possibility to add unfiltered HTML with editor or administrator roles.`
			`* There's a chance that the accounts of authorized users get compromised.`

			`There is a risk if you answered yes to any of those questions.`

			`== Recommended Secure Coding Practices`

			The `unfiltered_html` capability should be granted to trusted roles that need to use markup when publishing dynamic content to the WordPress website. If this capability is not required for all users, including administrators and editors roles, then it's recommended to set `DISALLOW_UNFILTERED_HTML` to `true`.

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Sensitive Code Example`
Create rule S6348: Allowing unfiltered HTML content in WordPress is security-sensitive (#247) * Create rule S6348 * Title and type * Description * Address review suggestions Co-authored-by: karim-ouerghemmi-sonarsource <karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <64004037+karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <karim.ouerghemmi@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-08-13 14:31:32 +00:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Create rule S6348: Allowing unfiltered HTML content in WordPress is security-sensitive (#247) * Create rule S6348 * Title and type * Description * Address review suggestions Co-authored-by: karim-ouerghemmi-sonarsource <karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <64004037+karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <karim.ouerghemmi@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-08-13 14:31:32 +00:00			`----`
			`define( 'DISALLOW_UNFILTERED_HTML', false ); // sensitive`
			`----`

			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Create rule S6348: Allowing unfiltered HTML content in WordPress is security-sensitive (#247) * Create rule S6348 * Title and type * Description * Address review suggestions Co-authored-by: karim-ouerghemmi-sonarsource <karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <64004037+karim-ouerghemmi-sonarsource@users.noreply.github.com> Co-authored-by: Karim El Ouerghemmi <karim.ouerghemmi@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2021-08-13 14:31:32 +00:00			`----`
			`define( 'DISALLOW_UNFILTERED_HTML', true );`
			`----`

			`== See`

Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]`
			`* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]`
			`* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]`
			`* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]`
Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537) * Add check for security standard mismatch * Fix security standard mismatches * Fix Resources/Standards links for secrets rules * Fix check * Fix links and update security standard mapping * Fix maintanability issue * Apply review suggestions * Apply suggestions from code review Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> * Fix typo Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2024-01-17 17:20:28 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]`