Recently I’ve been testing compatibility for all of Jetpack‘s various widgets when used on pages served by the AMP plugin. In the process I ran across a security vulnerability in Jetpack (which I responsibly disclosed and is now fixed), but I never would have noticed the issue if it weren’t for the AMP plugin’s internal validator.
As you may be aware, AMP is both a subset and superset of HTML. The standard HTML elements which can have problems with performance and privacy are not allowed in AMP. At the same time, AMP is also a web components library which provides custom elements that implement performance best practices and support privacy-preserving prerendering. All of the elements and attributes that AMP allows are codified in a specification which is used to programmatically validate AMP pages. Valid AMP pages can be distributed via an AMP Cache and safely prerendered to a user (e.g. in search results).
The AMP plugin internalizes the AMP specification and it uses the spec to catch invalid AMP markup to prevent it from leaking out onto the frontend. The plugin does its best to ensure your site serves valid AMP pages, not only so that Google Search Console doesn’t complain about AMP validation errors, but also in order to give you immediate feedback without having to wait for Googlebot to crawl your site. In contrast to the plugin’s Classic mode, the plugin no longer silently sanitizes the invalid AMP markup when in the Paired/Native modes; you can now be informed of what markup it is removing. This is particularly important when you have a site running ads or analytics, as you need to be alerted when the related script tags are getting stripped out (as AMP doesn’t allow custom scripts, at least not quite yet, though never like this).
So, back to the Jetpack plugin. When I tested the My Community widget, I noticed some strange new AMP validation errors reported by the AMP plugin, including unrecognized attributes: ben, cowboy, and alman:
The AMP plugin’s validator stripped out these invalid attributes—being “accepted” for sanitization—so they would not have shown up on the frontend of the site. But where did they come from? Here also the AMP plugin provides a key tool. As shown above, the plugin already identified that Jetpack was the source of the errors. Then by expanding a validation error, the full context for the error including its source information is provided:
Here it is clear that the invalid markup is coming from that My Community widget in Jetpack, as can be seen in the source function (Jetpack_My_Community_Widget::display_callback). When I looked at the widget output in a non-AMP version of the page, the issue became clear:
John Smith"><script>doSomething("EVIL")</script><a class="
Then since the widget lists users who have recently interacted with the site, the attacker would just have to leave a comment and then wait 10 minutes for the transient to flush. At this point the malicious doSomething('evil') would run for every visitor to the site.
I responsibly disclosed this Jetpack security vulnerability to Automattic’s HackerOne, and I got approval to blog about the find. Many thanks to the Jetpack team for being so responsive and including the fix in a release so quickly.
Remember: Never trust external input. Always validate/sanitize all inputs early and escape all output late.
However, this vulnerability would not have been exploitable on an AMP-first site. In the plugin’s native mode there is no non-AMP version of the site (no paired AMP). The AMP plugin removes all custom script (including script tags and on-event handler attributes), so on a fully AMP site the AMP plugin would have prevented this stored XSS vulnerability from being exploited. Furthermore, the AMP plugin also informs the site owner of such invalid markup being removed and where it came from in the first place.
So the AMP plugin is useful for protecting visitors to your site, as well as providing you with tools for finding and debugging security vulnerabilities. To learn more about the plugin, check out amp-wp.org.
If you’ve ever looked into developing a block for the new WordPress editor (Gutenberg), you’ve seen that it’s recommended to code it up with JSX. Blocks are powered by React and the JSX syntax is significantly more readable and less verbose than the ES5-compatible syntax. For example, compare this ES5 code:
While it is possible to write JSX without a build step by loading a standalone Babel into the browser, it is very expensive to do this runtime transpilation and so it’s not recommended in production. In contrast, HTM is small and fast:
It’s built using Tagged Templates and the browser’s HTML parser. Works in all modern browsers.
So HTM offers a third way to write blocks beyond ES5 and JSX. As with ES5 it doesn’t require a build step, while like JSX it has a much more pleasant syntax. Compare the JSX above with the following HTM:
Recently I attended WCEU 2018 in Belgrade with quite a few colleagues from XWP. We were there in large part to promote the adoption of progressive technologies in WordPress. We spent a lot of our time at the Google booth where we had an area to talk about contributing to WordPress across a wide range of roles. I spent most of the time in the booth stationed at the AMP area talking about the new capabilities we recently published in the plugin’s v1.0-alpha1 release, and since then we’ve followed up by releasing v1.0-beta1.
I’m really excited about how the AMP plugin is turning out. It now enables you to create AMP-compatible themes in the WordPress way; your theme can render your site in AMP using the same templates and stylesheets you would use normally on a non-AMP site. There is complete visual parity between your AMP pages and your non-AMP pages, aside for some differences in embeds (compare this post with AMP and without AMP). This being the case, you don’t even need to have a non-AMP version of your site anymore (the Paired mode), as the Native mode can just serve your entire site in AMP (such as xwp.co). AMP restricts what HTML you can use in order to guarantee performance and security, and the plugin never serves a response that contains invalid AMP in it. The plugin has a validation workflow to identify what the AMP validation errors are, where they are coming from in the page, and which theme/plugin is to blame. Please try it out and refer to the wiki for all the details on how to leverage the new features, especially Adding Theme Support and Implementing Interactivity.
On the topic of Progressive Web Apps, after Matt Mullenweg’s keynote someone asked during the Q&A about about a future where WordPress could be used to create to create apps. Matt responded:
As I just tweeted, there is now a PWA feature plugin on the WordPress.org directory. Its purpose is to curate Progressive Web App capabilities for proposed merging into WordPress core: service workers, the web app manifest, and improved HTTPS support.
This PWA feature plugin is intended to equip and facilitate other plugins which implement PWA features. It’s not intended to negate any existing plugins with these features, but rather to allow such plugins (and themes) to work together seamlessly and expand upon them. The plugin’s first release (v0.1.0) includes support for the web app manifest and an API for themes and plugins to register scripts for service workers, of which two are installed: one for the frontend (scope: ~/) and one for the admin (scope: ~/wp-admin/). A next step for service workers in the PWA feature plugin is to integrateWorkbox to provide a declarative WordPress PHP abstraction for managing the caching strategies for routes, with support for detecting conflicts. You can follow development and contribute to the plugin on GitHub.
Photos not taken by me are courtesy of Ryan Kienstra, Alberto Medina, and Paul Bakaus.
Here’s a fun little easter egg to add to your WordPress login screen: make it so when you click the “Remember Me” checkbox that the song of the same name from Coco autoplays at the bottom of the login form:
Whereas my recap post about WordPress 4.9 focused mostly on the new features and enhancements, my co-release lead Mel Choyce just published a great post that gets into more of the process aspects of the release, including the key contributors:
I think that 4.9 went really well by having essentially three co-release leads: Mel Choyce leading design, myself leading the development, and Jeff Paul leading project management as deputy release lead.
In particular I’m excited about the powerful new capabilities being added to the Customizer. Now you can draft changes to come back to later while also scheduling them to be published at a future date. The Customizer also now features autosave revisions, changeset post locking, customization drafts, and more. These changes were a long time in coming. For more than two years we’ve been working on these features in the context of the Customize Snapshots feature plugin where we’ve developed the infrastructure and UI for changesets in the course of service delivery for our clients at XWP. In WordPress 4.7 the changeset infrastructure from the plugin was introduced to core, and now in 4.9 the UI has also been introduced, after many design iterations.