Cross-Site Scripting (XSS)
Introduction
This article covers possible ways to secure the code from XSS vulnerability on WordPress. This includes applying a proper function to sanitize and escape the user’s input value.
Depending on the context of the process, in most cases, the user’s input will not be escaped or sanitized by default, that’s why the developer needs to manually process the input.
esc_attr
This function should be the main function to use when the developer wants to escape a string inside of an HTML attribute. It works by encoding the <
, >
, &
, "
and '
(less than, greater than, ampersand, double quote, and single quote) characters and will never double encode entities.
Only use this function inside of the HTML attributes where the escaped value is wrapped inside of a single or double quotes:
esc_html
This function should be the main function to use when the developer wants to escape a string for HTML blocks. This function will simply perform a wide HTML escape process to the string and will convert <
, >
, &
, "
, '
characters to HTML entities.
Developers can use this function when trying to escape a user’s input outside of the HTML tag context: