Support » Developing with WordPress » How do I sanitize my custom search code

  • On a website I have the search function of WordPress. Well the problem is that here code can be filled in which damage can be caused to the website. Is there a possibility to easily catch this?

    For example, you can paste </span> <script> alert (1) </script> into the search field and an alert box will appear.


Viewing 2 replies - 1 through 2 (of 2 total)
  • The issue is not sanitisation, but escaping. Meaning that the issue is where the search term is *output*, not the input. Wherever in your template that you output the search term you should use the esc_html() function, to prevent it being interpreted as actual HTML. If you did not build the theme then you should contact the theme author and make them fix it.

    How are you getting the search query? There is an appropriate function for that: get_search_query() and it’s default behavior is escape the value. Did you try it already?

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘How do I sanitize my custom search code’ is closed to new replies.