Support » Developing with WordPress » How do I sanitize my custom search code

  • On a website I have the search function of WordPress. Well the problem is that here code can be filled in which damage can be caused to the website. Is there a possibility to easily catch this?

    For example, you can paste </span> <script> alert (1) </script> into the search field and an alert box will appear.

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The issue is not sanitisation, but escaping. Meaning that the issue is where the search term is *output*, not the input. Wherever in your template that you output the search term you should use the esc_html() function, to prevent it being interpreted as actual HTML. If you did not build the theme then you should contact the theme author and make them fix it.

    Felipe Elia

    (@felipeelia)

    How are you getting the search query? There is an appropriate function for that: get_search_query() and it’s default behavior is escape the value. Did you try it already?

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘How do I sanitize my custom search code’ is closed to new replies.