security - Is there a way to globallly apply esc_html( ... ) to all inputs and anchors to filter out XSS markup?

admin管理员组

文章数量:1287561

I'm new to XSS prevention only 2 years into WP development, so I am hoping there's an easy solution. Installing a plugin designed to prevent XSS abuse is not an option. I need to programmatically, globally escape input values and anchor hrefs to prevent malicious XSS on a minisite. I was wondering if I could do this in the functions.php file with this function, except I think "the_content" filter is too broad:

add_filter("the_content", "prevent_xss");

function prevent_xss($the_Post)
{
 $the_New_Post = str_replace(array(‘&’,’<’,’>’),array(‘&’,’<’,’>’), $the_Post);
 return $the_New_Post;
}

Any help would be greatly appreciated. Thank you in advance.

I'm new to XSS prevention only 2 years into WP development, so I am hoping there's an easy solution. Installing a plugin designed to prevent XSS abuse is not an option. I need to programmatically, globally escape input values and anchor hrefs to prevent malicious XSS on a minisite. I was wondering if I could do this in the functions.php file with this function, except I think "the_content" filter is too broad:

add_filter("the_content", "prevent_xss");

function prevent_xss($the_Post)
{
 $the_New_Post = str_replace(array(‘&’,’<’,’>’),array(‘&’,’<’,’>’), $the_Post);
 return $the_New_Post;
}

Any help would be greatly appreciated. Thank you in advance.

• filters
• security

Share Improve this question asked Nov 5, 2021 at 0:10 user3038672user3038672 1 1

• There isn't a single function you can write to globally escape everything. It doesn't even really make sense to try to do that. What problem are you actually trying to solve here? It's the responsibility of individual themes and plugins to write secure code. If you want to properly secure your own code you should follow best practices for escaping on a case by case basis. A global function isn't the solution. See docs.wpvip/technical-references/security/… – Jacob Peattie Commented Nov 5, 2021 at 2:21

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

Is there a way to globallly apply esc_html( ... ) to all inputs and anchors to filter out XSS markup?

No, by the time you have output it's too late, any damage has already been done.

Even if you could do this, you wouldn't want to, escaping is highly contextual. Escaping is about enforcing assumptions, e.g. <a href="<?php echo esc_url( $url ); ?>... forces $url to be a URL even if it isn't. No more it should be a URL, it will always be a URL. It might be a mangled URL but it's guaranteed to be a URL. esc_html isn't a catch all escaping function for all occasions.

By the time you have HTML, it's too late to apply escaping, and you have no context to figure out which escaping function can be used.

You could go over the HTML with a DOM parser but this would do nothing to prevent HTML tag injection or XSS attacks. It also wouldn't be able to apply escaping as the values are already there, the most it could be is sanitising and validation, which are not escaping. wp_kses_post can be used to whitelist valid tags but WordPress already does this, and doing it on the_content filter would break embeds and other content that use legitimate tags etc

Likewise plugins that try to do this cannot be trusted, it's not something that can be done. There is no general automatic escaping that can be applied in PHP after the fact, it has to be done on output to be safe and reliable.

本文标签： securityIs there a way to globallly apply eschtml() to all inputs and anchors to filter out XSS markup