comet-cache VaultPress False Positive on Regex Named Backreference

Reported here: https://wordpress.org/support/topic/security-threat-in-v150626

Suggested Next Steps

[ ] Rename the backreference to something that does not start with <script
[ ] Confirm this fixes the false-positive report from VaultPress

Jun 30 '15 21:06 jaswrks

@jaswsinc Is this ready for work or is there something here that needs research (i.e., will renaming <script definitely fix this issue)?

Jun 30 '15 23:06 raamdev

@raamdev writes...

(i.e., will renaming <script definitely fix this issue)?

No, this is unconfirmed. However, I know a thing or two about what these scanners look for, and I think there are high odds that it's simply matching <script and returning a false positive. Typical in scanners like this.

Jul 01 '15 14:07 jaswrks

@jaswsinc Thanks! I've added an additional step to the next actions list and marked this as needs testing. :-)

Jul 01 '15 18:07 raamdev

@jaswsinc Noting here that in another report of this issue (#517) the VaultPress screenshot that shows the code triggering this issue includes a line that does not include <script:

wajjswr

Jul 01 '15 18:07 raamdev

Thanks. So both <style and <script it seems.

Jul 01 '15 20:07 jaswrks

@raamdev Suggested Next Actions

Search for <script in this file: https://github.com/websharks/html-compressor/blob/150512/src/includes/classes/Core.php
Replace instances of <script with <'.'script (or similar) to concatenate; i.e., avoid <script being picked up by a scanner in any obvious way that would result in a false-positive match.
Repeat for <style instances.

Aug 04 '15 07:08 jaswrks

@raamdev

Looks like VaultPress is a premium plugin now https://vaultpress.com/plans/, does this still need testing or was Jason's suggested fix above implemented already?

Dec 31 '16 05:12 renzms

The work outlined above has never been completed, no.

Dec 31 '16 07:12 jaswrks