Support » Developing with WordPress » How do I sanitize my custom search code

How do I sanitize my custom search code

  • Daniël Doelman

    (@ddoelman)



    4 months ago

    On a website I have the search function of WordPress. Well the problem is that here code can be filled in which damage can be caused to the website. Is there a possibility to easily catch this?

    For example, you can paste </span> <script> alert (1) </script> into the search field and an alert box will appear.

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Jacob Peattie

    (@jakept)

    4 months ago

    The issue is not sanitisation, but escaping. Meaning that the issue is where the search term is *output*, not the input. Wherever in your template that you output the search term you should use the esc_html() function, to prevent it being interpreted as actual HTML. If you did not build the theme then you should contact the theme author and make them fix it.

    Felipe Elia

    (@felipeelia)

    4 months ago

    How are you getting the search query? There is an appropriate function for that: get_search_query() and it’s default behavior is escape the value. Did you try it already?

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Views