Make check for meta tag to verify site more permissive#10040
Make check for meta tag to verify site more permissive#10040abidhahmed merged 11 commits intomasterfrom
Conversation
|
That's a great PR description, thank you so much for your effort! Generated by 🚫 dangerJS |
|
I found a bug: pasting in a meta tag with single quotes and the meta name "blah" results in the following output in the HTML: Trying to fix now. |
|
@gravityrail it's not a regex that's able to parse any html property value, just a verification code which according to the regex for the code only (on the same line) is simply |
|
I get the same issue when I enter this value: The meta tag shows: |
|
But it works correctly when I enter: (same values as above, but tag is self-closing and uses double-quotes) This outputs correctly: |
|
This line:
isn't valid syntax in PHP 5.2 and is preventing new builds from being created by TravisCI, so I can't test the current code. |
| */ | ||
| public static function validate_verification_service( $value = '', $request, $param ) { | ||
| if ( ! empty( $value ) && ! ( is_string( $value ) && ( preg_match( '/^[a-z0-9_-]+$/i', $value ) || preg_match( '#^<meta name="([a-z0-9_\-.:]+)?" content="([a-z0-9_-]+)?" />$#i', $value ) ) ) ) { | ||
| if ( ! empty( $value ) && ! ( is_string( $value ) && ( preg_match( '/^[a-z0-9_-]+$/i', $value ) || preg_match( '#^<meta[^<>]+content=["\']?([^"\' <>]*)[^<>]*/?>$#i', $value ) ) ) ) { |
There was a problem hiding this comment.
If the content attribute has an apostrophe or quotation mark in it, this regex will fail.
<meta content="Jetpack's the best" />
There was a problem hiding this comment.
It could also perceive this HTML as passing the check:
<meta name="content=" />
There was a problem hiding this comment.
Or even <meta-content=>. Instead of duplicating work, this function should be calling jetpack_verification_get_code() and checking if it returns something, since that's the code that will actually be extracting the verification code. (jetpack_verification_get_code() should also be given a second look, as its regex is pretty liberal as well.)
There was a problem hiding this comment.
As I said here this regex will only work for valid content values. I agree it's cleaner to use jetpack_verification_get_code() here instead though 👍I'll update!
|
I updated the form on the client to replace the code value by the full meta tag. On the server nothing is changed and the code value is persisted by default (and the code stays backward-compatible with full meta tag saved in the db). |
|
I don't think it matters too much that the regex in The latest changes have a some failing tests, though. |
Changes proposed in this Pull Request:
The validation for meta tags entered in the Jetpack Settings page for site verification is overly strict. In fact, even the same meta tags we offer in our alternative UI (under "tools" in the wp-admin menu) don't work! (because they aren't self-closing tags, lack a space before the
>, and use single instead of double quotes).This PR updates the input validation we have for meta tags used for website verification services. We just want a meta tag that is valid enough so we can extract the value of the content property from it. HTML parser on browsers are quite flexible so we need to allow all kinds of valid meta tags.
For instance this change makes it so those are valid:
<meta name="google-site-verification" content="1234"/>(no space before/>)<meta name='google-site-verification' content='1234' />(use of'instead of")<meta name='google-site-verification' content=1234 />(does not use any quotes)<meta content="1234" name="google-site-verification" />(switches the order)<meta name="google-site-verification" content="1234" some-prop />(has extra properties)<meta name="google-site-verification" content="1234">(does not have a closing character)...
Testing instructions:
Enter any of the formats above, both in the Jetpack Settings UI, and the same UI under "tools".
The content should be saved successfully without validation errors.
Enter a "bad" string in the JS UI, e.g.
<moota name="google-site-verification" content="1234"/>The content should fail to save with a validation error.
Note that the legacy UI under "tools" will actually accept
<moota name="google-site-verification" content="1234"/>- that UI is going to be removed eventually so it's less of a concern.Proposed changelog entry for your changes: