Getting Rid of Unwanted Backslashes in WordPress Form Input
Some time back I’ve written an article on How to Secure your WordPress Plugin by preventing CSRF Vulnerability.
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as
CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Take a look at that tutorial for more details.
In this tutorial we will go over a very common security pattern and how to fix it. If you have any of below questions then you are at right place:
- Stripslashes in textarea in a WordPress plugin option
- How to remove trailing slashes in WordPress (or PHP)
- security – is using
stripslashes()in wordpress unsafe?
- How to secure WordPress Plugin?
- How to harden WordPress Plugin?
First let me explain simple scenario briefly
Most of the WordPress plugins have text field. When user enters text value and click on submit, usually it stores in
WP_OPTIONS table with key and value.
Plugin developer can use that value at runtime and retrieve it to fulfill the plugin requirements. There isn’t any bad thing so far. Most of the cases it works.
But consider this: What if user enters some
malicious scripting code into text box? Well, if there will a miss on checking value then script might be executed on each and every WordPress page of that blog. Which we absolutely don’t need and creates Security vulnerability for your site.
Take a look at this screenshot:
Now what if user enters this value?
\"/><script>alert(/Oh no! Am I saving this Script value into WordPress DB??/)</script>
Well, if you see pop-up alert then it’s
not good. Attacker could expose your
browser cookies too. Try below.
Here script is loading on Plugin settings page:
Alert Script is loading on
Live WordPress page:
Now you got an idea. Right?
Well, there is a
simple way to disable this scripting injection. Technique which disables this called
Validating Sanitizing and Escaping User Data.
In addition to above hacker may use
document.cookie to get your sessions and tips below will help secure wordpress website from hackers.
How to solve this WordPress Plugin Vulnerability?
While saving data to textfield or textarea, make sure to use
esc_attr() function. Escaping means
esc_attr() can be used on everything else that’s printed into an HTML element‘s attribute.
<input type="text" name="crunchify-hello-world-text" value="<?php echo stripslashes_deep(esc_attr(get_option('crunchify-hello-world-text'))); ?>" />
While outputting value during runtime use the same as output.
return $content . stripslashes_deep(esc_attr(get_option('crunchify-hello-world-text')));
As you see in above example, we are also using
stripslashes_deep() function, which will navigates through an array or single value and
removes slashes from the it.
And that’s it. Now your plugin is super secure and even if attacker uses
script injection it will be safe during runtime and it won’t get executed on site.
Join the Discussion
Share & leave us some comments on what you think about this topic or if you like to add something.