Title: Edge Side Include (ESI) Injection Last modified: August 21, 2021 --- # Edge Side Include (ESI) Injection * [devriesrjj](https://wordpress.org/support/users/devriesrjj/) * (@devriesrjj) * [4 years, 10 months ago](https://wordpress.org/support/topic/edge-side-include-esi-injection/) * Hi there, * I’ve created my own WordPress website, and asked for a security check. Now they came back with some kind of Edge Side Include (ESI) Injection. The advice given was to use some kind of ESI parser, but when I google it there seems to be no plugin for this. Does someone know how I should tackle this? * I’m using Divi as a theme. * Kind regards, * Ricardo de Vries * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fedge-side-include-esi-injection%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 3 replies - 1 through 3 (of 3 total) * Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/) * (@bcworkz) * [4 years, 9 months ago](https://wordpress.org/support/topic/edge-side-include-esi-injection/#post-14793327) * An ESI parser would be installed in a reverse proxy or similar architecture. ESI applies to XHTML documents, which you are not using, so I don’t understand what ESI has to do with your site. ESI implements a caching scheme so dynamic content can be injected into the document without needing to make a request to the source server. If not properly implemented, the scheme is prone to XSS and SSRF hack attacks. * Thread Starter [devriesrjj](https://wordpress.org/support/users/devriesrjj/) * (@devriesrjj) * [4 years, 9 months ago](https://wordpress.org/support/topic/edge-side-include-esi-injection/#post-14801045) * Hi [@bcworkz](https://wordpress.org/support/users/bcworkz/), thanks for your answer. * That’s weird. The following is the full threat description I received: * Edge Side Include (ESI) is an XML-based markup language that provides a means to assemble resources in HTTP clients. It is designed to leverage client tools like caches to improve end-user perceived performance, reduce processing overhead on the origin server, and enhanced availability. ESI allows for dynamic content assembly by processing the ESI tags. ESI is primarily intended for processing on surrogates (intermediaries that operate on behalf of the origin server, also known as “Reverse Proxies”) that understand the ESI language. Successful injection of the ESI tags in the HTTP response at the origin server can lead to Server Side Request Forgery (SSRF) or Cross-Site Scripting (XSS) attacks. * Do you know if this makes any sense? * Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/) * (@bcworkz) * [4 years, 9 months ago](https://wordpress.org/support/topic/edge-side-include-esi-injection/#post-14804337) * Well, that’s pretty much what I said. I suppose a possible threat would be if someone could inject ESI tags into normal output stream, they could be leveraged into a more dangerous attack like SSRF. But if a hacker were able to inject such tags, the site is already compromised, so I don’t see how it adds additional risk. I don’t see it as an issue unless you are already using ESI tags. * Disclaimer: I’m not a computer security expert. There could be some angle I’m missing. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Edge Side Include (ESI) Injection’ is closed to new replies. ## Tags * [divi](https://wordpress.org/support/topic-tag/divi/) * [esi](https://wordpress.org/support/topic-tag/esi/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 2 participants * Last reply from: [bcworkz](https://wordpress.org/support/users/bcworkz/) * Last activity: [4 years, 9 months ago](https://wordpress.org/support/topic/edge-side-include-esi-injection/#post-14804337) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics