Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3490158

Timestamp:

03/24/2026 03:19:13 PM (12 days ago)

Author:

vinsmach

Message:

Version 1.3.2: fix problem

Location:

webmcp-bridge/trunk

Files:

: 3 edited

includes/class-tools-core.php (modified) (3 diffs)
readme.txt (modified) (2 diffs)
webmcp-bridge.php (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

webmcp-bridge/trunk/includes/class-tools-core.php

-                      r3490060
+                      r3490158
         $markdown = Mescio_For_Agents_Markdown::post_to_markdown( $post );
+        // Sanitize the Markdown output before returning it to the agent.
+        // A WordPress editor can insert arbitrary JS/HTML in post content.
+        // Without this step, stored XSS in the post would be forwarded verbatim
+        // to the AI agent — enabling prompt injection attacks via post content.
+        $markdown = $this->sanitize_markdown( $markdown );
         $language = class_exists( 'Mescio_For_Agents_I18n' )
             ? Mescio_For_Agents_I18n::detect_post_language( $post )
 …
+    }
+    /**
+     * Sanitize Markdown content before sending it to an AI agent.
+     *
+     * Threats addressed:
+     *   1. HTML tags surviving the Markdown conversion (script, iframe, etc.)
+     *      — could be injected by a WordPress editor into post content.
+     *   2. Inline event handlers (onclick=, onerror=, onload=, etc.)
+     *      — JS execution vectors embedded in HTML attributes.
+     *   3. javascript: and data: URIs in Markdown links/images
+     *      — [click me](javascript:alert(1))
+     *   4. Basic prompt injection patterns
+     *      — text designed to hijack the AI agent's instructions.
+     *
+     * @param  string $markdown Raw Markdown from Mescio.
+     * @return string           Sanitized Markdown safe to send to an agent.
+     */
+    private function sanitize_markdown( string $markdown ): string {
+        // 1. Strip dangerous HTML tags entirely (including their content for script/style).
+        $dangerous_tags = 'script|style|iframe|object|embed|form|input|button|textarea|select|link|meta|base';
+        $markdown = preg_replace(
+            '/<(' . $dangerous_tags . ')[^>]*>.*?<\/\1>/is',
+            '',
+            $markdown
+        );
+        // 2. Strip any remaining HTML tags that survived (keep text content).
+        //    wp_kses with an empty allowed list strips all tags but keeps text.
+        $markdown = wp_kses( $markdown, [] );
+        // 3. Neutralize javascript: and data: URIs in Markdown links and images.
+        //    Matches: [text](javascript:...) and ![alt](data:...)
+        $markdown = preg_replace(
+            '/(\[.*?\]\()(?:javascript|data|vbscript):[^\)]*(\))/i',
+            '$1#removed$2',
+            $markdown
+        );
+        // 4. Strip inline event handlers (onclick=, onerror=, etc.)
+        $markdown = (string) preg_replace(
+            '/\s+on[a-z]+\s*=\s*(["\'])(?:(?!\1).)*\1/i',
+            '',
+            (string) $markdown
+        );
+        // 5. Detect and neutralize obvious prompt injection attempts.
+        //    These are heuristic — they flag content that looks like instructions
+        //    directed at an AI system rather than normal editorial content.
+        $injection_patterns = [
+            '/ignore\s+(all\s+)?(previous|prior|above)\s+instructions?/i',
+            '/disregard\s+(all\s+)?(previous|prior|above)\s+instructions?/i',
+            '/you\s+are\s+now\s+(a\s+)?[\w\s]+assistant/i',
+            '/system\s*:\s*(you\s+are|act\s+as|pretend)/i',
+            '/\[INST\]|\[\/INST\]|<\|im_start\|>|<\|im_end\|>/i',
+        ];
+        foreach ( $injection_patterns as $pattern ) {
+            $markdown = preg_replace( $pattern, '[removed]', $markdown );
+        }
+        return trim( $markdown );
+    }
     public function tool_get_llms_txt( $params ) {
         if ( ! class_exists( 'Mescio_For_Agents_Rest' ) ) {
 …
                 throw new Exception( esc_html__( 'Could not retrieve full llms content from Mescio for Agents.', 'webmcp-bridge' ) );
+            }
+            // Sanitize the full content for the same reasons as get_markdown_content.
+            $body = $this->sanitize_markdown( $body );
             $context['content']         = $body;

webmcp-bridge/trunk/readme.txt

-                      r3490060
+                      r3490158
 Requires at least: 6.0
 Tested up to: 6.9
 Stable tag: 1.3.0
+Stable tag: 1.3.1
 Requires PHP: 8.0
 License: GPLv2 or later
 …
 == Changelog ==
+= 1.3.1 =
+* Security: sanitize Markdown output in get_markdown_content and get_llms_txt before returning to agent — prevents stored XSS / prompt injection via post content
 = 1.2.0 =
 * Added Live API Examples section in admin: test every tool directly from the settings page

webmcp-bridge/trunk/webmcp-bridge.php

-                      r3490060
+                      r3490158
  * Plugin URI:        https://wordpress.org/plugins/webmcp-bridge/
  * Description:       Exposes WordPress functionality as WebMCP tools so AI agents can interact with your site natively in the browser — no backend MCP server required.
  * Version:           1.3.0
+ * Version:           1.3.1
  * Requires at least: 6.0
  * Requires PHP:      8.0
 …
 if ( ! defined( 'ABSPATH' ) ) exit;
 define( 'WEBMCP_BRIDGE_VERSION', '1.3.0' );
+define( 'WEBMCP_BRIDGE_VERSION', '1.3.1' );
 define( 'WEBMCP_BRIDGE_DIR', plugin_dir_path( __FILE__ ) );
 define( 'WEBMCP_BRIDGE_URL', plugin_dir_url( __FILE__ ) );

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory

Context Navigation

Changeset 3490158

Legend:

webmcp-bridge/trunk/includes/class-tools-core.php

webmcp-bridge/trunk/readme.txt

webmcp-bridge/trunk/webmcp-bridge.php

Download in other formats: