New Release: Jetpack 5.7

This notice relates to the following platforms: VIP Go

UPDATE: VIP Go has been upgraded to Jetpack 5.7.

Jetpack 5.7 has been released for general availability.

To ensure adequate testing opportunities for our VIP clients, the planned upgrade date for Jetpack on VIP Go is January 9th, 2018, at approximately 18:00 UTC.

What’s New

  • Easier customization for Jetpack Search
  • Improved theme compatibility with comment_form_after hook
  • Fixed bug in markdown processing in shortcodes
  • Misc. other improvements and bug fixes

You can find a full list of changes in the announcement post and changelog.

If you have any questions, please let us know!

New Release: Jetpack 5.6

This notice relates to the following platforms: VIP Go

Today at approximately 20:05 UTC, Jetpack was upgraded to version 5.6 on all VIP Go sites.

What’s New

  • Improvements to the Elasticsearch-based Search module
  • All Jetpack plugin JavaScript is now minified, and the following shortcodes now have minified JavaScript: Brightcove, Gist, Instagram, Presentations, Quizzes, Recipes, and Slideshows
  • Support added for “universal” analytics and the ecommerce plugin in Jetpack’s Google Analytics integration
  • Improvements to Photon image tags

Other highlights include a new flow for unlocking the login form when it’s been accidentally locked by Jetpack Protect and many more enhancements and bug fixes.

You can find a full list of changes in the announcement post and changelog.

If you have any questions, please let us know!

New Release: WordPress 4.9.1

This notice relates to the following platforms: WordPress.com VIPVIP Go

Today, WordPress 4.9.1 was released. This is a security and maintenance release, and both WordPress.com VIP and VIP Go have been patched and upgraded.

The security fixes are:

  1. Use a properly generated hash for the newbloguser key instead of a determinate substring.
  2. Add escaping to the language attributes used on html elements.
  3. Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
  4. Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.

More information about this release can be found in the announcement post, the release notes, and this blog post.

Jetpack 5.4 Release

This notice relates to the following platforms: VIP Go

As previously announced, Jetpack will upgraded to version 5.4 on Wednesday, October 4th, 2017. The upgrade is currently scheduled for 20:00 UTC (4pm EDT).

Before, during, and after the upgrade, we’ll provide real-time updates via this post.

Read the Jetpack 5.4 announcement post.

What do I need to do?

Jetpack 5.4 is already available – we recommend testing your sites against the new version before the platform-wide release using these instructions.

Otherwise, no action is necessary.

If you have testing feedback or questions related to this release (or Jetpack in general), please open a support ticket with details and we will be happy to assist.

Resolved: Alert: WordPress.com VIP Publishing Issues

UPDATE: The issues affecting publishing / updating posts on some VIP sites have been resolved. Please let us know if you continue to see issues.

We are currently troubleshooting issues with the WordPress.com platform, and sites may experience slow load times or errors in the meantime.

We are working on the issue, and will follow up with another alert once this is resolved.

Please visit the VIP Lobby for more detailed updates (you can request access if you don’t have it already) at https://lobby.vip.wordpress.com – we will continue to update this post and tweet out status updates from @wpvipstatus until the issue is resolved.

If you have any questions, please email vip-support@wordpress.com.

PHP 7 on VIP Go

Next week on Thursday, December 8th, all VIP Go pre-production environments (not including production environments) will be switched over to PHP 7. After the switch, please thoroughly test all pre-production environments for any issues.

After upgrading pre-production environments, production environments will be switched to PHP 7 on Thursday, January 5th (4 weeks later).

PHP 7 brings important performance improvements and has been extensively tested with WordPress at scale on WordPress.com, including all WordPress.com hosted VIP sites.

Ahead of the upgrade, please ensure all local environments are running PHP 7 with WP_DEBUG enabled and pay close attention to any PHP warnings or other issues. For example, VVV has been using PHP 7 for several months, but if you have an out-of-date instance, simply pull the latest code from GitHub and run vagrant up --provision to be upgraded.

For more information on migrating from PHP 5.6 to PHP 7, please see the official Migration Guide.

If you’d like to switch over to PHP 7 ahead of this timeline, please let us know – we’re happy to upgrade you at a time of your choosing.

As always, if you have any questions, please let us know!

tl;dr – pre-production VIP Go sites will be upgraded to PHP 7 on December 8th, and production sites will be upgraded 4 weeks later on January 5th.

Service Disruption: Image Loading

We received a few reports of images not loading on VIP sites starting around 17:24 UTC (13:24 EDT). Further investigation revealed this to be a regional issue affecting only our Dallas datacenter – traffic to other datacenters was not impacted.

The issue was fully resolved at 17:58 UTC (13:58 EDT) and all operations have returned to normal.

Preventing XSS in JavaScript

The primary vulnerability we need to be careful of in Javascript is Cross Site Scripting (XSS). We’re probably all familiar with the escaping functions we use with PHP in WordPress to avoid that — esc_html(), esc_attr(), esc_url(), etc. Given that, it only seems natural that we would also need to escape HTML in Javascript.

As it turns out out, however, that’s the wrong way to approach Javascript security. To avoid XSS, we want to avoid inserting HTML directly into the document and instead, programmatically create DOM nodes and append them to the DOM. This means avoiding .html(), .innerHTML, and other related functions, and instead using .append(), .prepend(), .before(), .after(), and so on.

Here is an example:

jQuery.ajax({
    url: 'http://any-site.com/endpoint.json'
}).done( function( data ) {
    var link = '<a href="' + data.url + '">' + data.title + '</a>';

    jQuery( '#my-div' ).html( link );
});

This approach is dangerous, because we’re trusting that the response from any-site.com includes only safe data – something we can not guarantee, even if the site is our own. Who is to say that data.title doesn’t contain <script>alert( "haxxored");</script>;?

Instead, the correct approach is to create a new DOM node programmatically, then attach it to the DOM:

jQuery.ajax({
    url: 'http://any-site.com/endpoint.json'
}).done( function( data ) {
    var a = jQuery( '<a />' );
    a.attr( 'href', data.url );
    a.text( data.title );

    jQuery( '#my-div' ).append( a );
});

Note: It’s technically faster to insert HTML, because the browser is optimized to parse HTML. The best solution is to minimize insertions of DOM nodes by building larger objects in memory then insert it into the DOM all at once, when possible.

By passing the data through either jQuery or the browser’s DOM API’s, we ensure the values are properly sanitized and remove the need to inject insecure HTML snippets into the page.

To ensure the security of your application, use the DOM APIs provided by the browser (or jQuery) for all DOM manipulation.

Escaping Dynamic JavaScript Values

When it comes to sending dynamic data from PHP to JavaScript, care must be taken to ensure values are properly escaped. The core function esc_js() helps escape JavaScript for us in DOM attributes, while all other values should be encoded with wp_json_encode().

From the WP Codex on esc_js():

It is intended to be used for inline JS (in a tag attribute, for example onclick=”…”).

If you’re not working with inline JS in HTML event handler attributes, a more suitable function to use is wp_json_encode, which is built-in to WordPress.

This approach is incorrect:

var title = '<?php echo esc_js( $title ); ?>';
var content = '<?php echo esc_js( $content ); ?>';
var comment_count = '<?php echo esc_js( $comment_count ); ?>';

Instead, it’s better to use wp_json_encode() (note that wp_json_encode() adds the quotes automatically):

var title = <?php echo wp_json_encode( $title ); ?>;
var content = <?php echo wp_json_encode( $content ); ?>;
var comment_count = <?php echo wp_json_encode( $comment_count ); ?>;

Stripping Tags

It may be tempting to use .html() followed by .text() to strip tags – but this approach is still vulnerable to attack:

// Incorrect
var text = jQuery('<div />').html( some_html_string ).text();
jQuery( '.some-div' ).html( text );

Setting the HTML of an element will always trigger things like src attributes to be executed, which can lead to attacks like this:

// XSS attack waiting to happen
var some_html_string = '<img src="a" onerror="alert(\'haxxored\');" />';

As soon as that string is set as a DOM element’s HTML (even if it’s not currently attached to the DOM!), src will be loaded, will error out, and the code in the onerror handler will be executed…all before .text() is ever called.

The need to strip tags is indicative of bad practices – remember, always use the appropriate API for DOM manipulation.

// Correct
jQuery( '.some-div' ).text( some_html_string );

Other Common XSS Vectors

  • Using eval(). Never do this.
  • Un-whitelisted / un-sanitized data from urls, url fragments, query strings, cookies
  • Including un-trusted / un-reviewed 3rd party JS libraries
  • Using out-dated / un-patched 3rd party JS libraries

Helpful Resources