Title: Cross Site Scripting (Reflected)
Last modified: July 24, 2020
---
# Cross Site Scripting (Reflected)
* Resolved [grcwebteam](https://wordpress.org/support/users/grcwebteam/)
* (@grcwebteam)
* [5 years, 10 months ago](https://wordpress.org/support/topic/cross-site-scripting-reflected/)
* Hello,
* A security scan of one of our sites that uses MLA came back with an issue regarding
potential cross-site scripting.
* Request:
* `GET .../?mla_paginate_current=2&ak8tq%2522onmouseover%253d%2522alert%25281%2529%
2522style%253d%2522position%253aabsolute%253bwidth%253a100%2525%253bheight%253a100%
2525%253btop%253a0%253bleft%253a0%253b%2522yvx42=1 HTTP/1.1`
* Response:
* ``
* Inserting this into the query string echoes the input and causes a javascript
popup. Is there any way to validate the query string input for MLA parameters?
- This topic was modified 5 years, 10 months ago by [grcwebteam](https://wordpress.org/support/users/grcwebteam/).
- This topic was modified 5 years, 10 months ago by [grcwebteam](https://wordpress.org/support/users/grcwebteam/).
Viewing 8 replies - 1 through 8 (of 8 total)
* Thread Starter [grcwebteam](https://wordpress.org/support/users/grcwebteam/)
* (@grcwebteam)
* [5 years, 10 months ago](https://wordpress.org/support/topic/cross-site-scripting-reflected/#post-13166578)
* We are also receiving warnings about client-side HTTP parameter pollution:
* Request:
* `GET .../?mla_paginate_current=2&adm%26twb%3d1=1 HTTP/1.1`
* Response:
* ``
* The resolution suggestion here is that URL input be encoded before being embedded
in a URL.
* Plugin Author [David Lingren](https://wordpress.org/support/users/dglingren/)
* (@dglingren)
* [5 years, 9 months ago](https://wordpress.org/support/topic/cross-site-scripting-reflected/#post-13182214)
* Thank you for your report; I always appreciate being alerted to security issues.
* I will investigate and post an update here when I have progress to report.
* Plugin Author [David Lingren](https://wordpress.org/support/users/dglingren/)
* (@dglingren)
* [5 years, 9 months ago](https://wordpress.org/support/topic/cross-site-scripting-reflected/#post-13188746)
* Thanks again for alerting me to these two issues. I have resolved the first issue
by removing query arguments with names containing embedded special characters.
I have resolved the second issue by encoding the url input along the lines you
suggested.
* I have uploaded a new MLA Development Version dated 20200729 that contains fixes
for the issues you reported. To get the Development Version you can follow the
instructions in this earlier topic:
* [PHP Warning on media upload with Polylang](https://wordpress.org/support/topic/php-warning-on-media-upload-with-polylang/#post-9625341)
* It would be great if you can install the Development Version and let me know
how it works for you.
* Thread Starter [grcwebteam](https://wordpress.org/support/users/grcwebteam/)
* (@grcwebteam)
* [5 years, 9 months ago](https://wordpress.org/support/topic/cross-site-scripting-reflected/#post-13195103)
* Thanks David, we will be installing and testing it next week. I will report back
with the results.
* Thread Starter [grcwebteam](https://wordpress.org/support/users/grcwebteam/)
* (@grcwebteam)
* [5 years, 9 months ago](https://wordpress.org/support/topic/cross-site-scripting-reflected/#post-13218620)
* Hi David,
* We re-scanned our site with this development release and it was not flagged for
XSS issues. Thank you very much for fixing this! Do you plan to formally release
these plugin changes in the future?
* Plugin Author [David Lingren](https://wordpress.org/support/users/dglingren/)
* (@dglingren)
* [5 years, 9 months ago](https://wordpress.org/support/topic/cross-site-scripting-reflected/#post-13230172)
* Thanks for taking the time to try the Development Version and for the good news
about your results.
* I plan to update the official MLA version shortly after WordPress 5.5 goes out.
If it is appropriate, you can continue to use the Development Version with confidence
until the next MLA update automatically replaces it. I always do my best to ensure
that any Development Version I post is of “release candidate” quality.
* Thread Starter [grcwebteam](https://wordpress.org/support/users/grcwebteam/)
* (@grcwebteam)
* [5 years, 9 months ago](https://wordpress.org/support/topic/cross-site-scripting-reflected/#post-13232848)
* Excellent, thanks for the update!
* Plugin Author [David Lingren](https://wordpress.org/support/users/dglingren/)
* (@dglingren)
* [5 years, 9 months ago](https://wordpress.org/support/topic/cross-site-scripting-reflected/#post-13259094)
* I have released MLA v2.84, which contains the new code resolving your two issues.
I am marking this topic resolved, but please update it if you have any problems
or further questions regarding the new option. Thanks for inspiring this MLA
improvement.
Viewing 8 replies - 1 through 8 (of 8 total)
The topic ‘Cross Site Scripting (Reflected)’ is closed to new replies.
* 
* [Media Library Assistant](https://wordpress.org/plugins/media-library-assistant/)
* [Frequently Asked Questions](https://wordpress.org/plugins/media-library-assistant/#faq)
* [Support Threads](https://wordpress.org/support/plugin/media-library-assistant/)
* [Active Topics](https://wordpress.org/support/plugin/media-library-assistant/active/)
* [Unresolved Topics](https://wordpress.org/support/plugin/media-library-assistant/unresolved/)
* [Reviews](https://wordpress.org/support/plugin/media-library-assistant/reviews/)
## Tags
* [xss](https://wordpress.org/support/topic-tag/xss/)
* 8 replies
* 2 participants
* Last reply from: [David Lingren](https://wordpress.org/support/users/dglingren/)
* Last activity: [5 years, 9 months ago](https://wordpress.org/support/topic/cross-site-scripting-reflected/#post-13259094)
* Status: resolved