Getting Rid of Unwanted Backslashes in WordPress Form Input
WordPress security is a key to success for your WordPress Plugin. Everybody should take security concerns very carefully.
In addition to have great features into your WordPress theme or Plugins, all WordPress themes and plugins must have best security standards.
Some time back I’ve written an article on How to Secure your WordPress Plugin by preventing CSRF Vulnerability. Cross-site request forgery
, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF
, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Take a look at that tutorial for more details.
In this tutorial we will go over a very common security pattern and how to fix it. If you have any of below questions then you are at right place:
- Stripslashes in textarea in a WordPress plugin option
- How to remove trailing slashes in WordPress (or PHP)
- security – is using
stripslashes()
in wordpress unsafe? - How to secure WordPress Plugin?
- How to harden WordPress Plugin?
First let me explain simple scenario briefly
Most of the WordPress plugins have text field. When user enters text value and click on submit, usually it stores in WP_OPTIONS
table with key and value.
Plugin developer can use that value at runtime and retrieve it to fulfill the plugin requirements. There isn’t any bad thing so far. Most of the cases it works.
But consider this:
What if user enters some malicious scripting code
into text box? Well, if there will a miss on checking value then script might be executed on each and every WordPress page of that blog. Which we absolutely don’t need and creates Security vulnerability for your site.
Take a look at this screenshot:
Now what if user enters this value?
\"/><script>alert(/Oh no! Am I saving this Script value into WordPress DB??/)</script>
Well, if you see pop-up alert then it’s not good
. Attacker could expose your browser cookies
too. Try below.
\"/><script>alert(document.cookie)</script>
Here script is loading on Plugin settings page:
Same Alert Script
is loading on Live WordPress page
:
Now you got an idea. Right?
Well, there is a simple way to disable
this scripting injection. Technique which disables this called Validating Sanitizing and Escaping User Data
.
In addition to above hacker may use document.cookie
to get your sessions and tips below will help secure wordpress website from hackers.
How to solve this WordPress Plugin Vulnerability?
Step-1
While saving
data to textfield or textarea, make sure to use esc_attr()
function. Escaping means Securing Output
.
esc_attr()
can be used on everything else that’s printed into an HTML element‘s attribute.
<input type="text" name="crunchify-hello-world-text" value="<?php echo stripslashes_deep(esc_attr(get_option('crunchify-hello-world-text'))); ?>" />
Step-2
While outputting
value during runtime use the same as output.
add_filter('the_content', 'crunchify_com_content'); function crunchify_com_content($content) { return $content . stripslashes_deep(esc_attr(get_option('crunchify-hello-world-text'))); }
As you see in above example, we are also using stripslashes_deep()
function, which will navigates through an array or single value and removes slashes
from the it.
And that’s it. Now your plugin is super secure and even if attacker uses script injection
it will be safe during runtime and it won’t get executed on site.