Title: Vulnerability: Cross-Site Scripting attacks
Last modified: September 6, 2016

---

# Vulnerability: Cross-Site Scripting attacks

 *  [JDD](https://wordpress.org/support/users/allaboutmormons/)
 * (@allaboutmormons)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/vulnerability-cross-site-scripting-attacks/)
 * Your plugin is great, but it enables cross-site scripting attacks. The front-
   end registration form is reloaded and repopulated with $_POST data when the username
   is less than 4 characters. Some of the fields might have been modified to enable
   third-party javascript. For example, what if $_POST[‘user_email’] has been changed
   to ‘John.Doe@somewhere.com”><sCrIpT>alert(36363)</sCrIpT>’?
 * I’ve overcome this problem by adding the following code to my functions.php file,
   but it would be best to fix the plugin itself:
 *     ```
       add_action('init', 'sanitize_post_data');
   
       function sanitize_post_data() {
           // Go through all most and sanitize it to prevent cross-site scripting attacks.
           foreach($_POST as $key=>$val) {
               $_POST[$key] = htmlentities($val);
           }
       }
       ```
   

Viewing 5 replies - 1 through 5 (of 5 total)

 *  Thread Starter [JDD](https://wordpress.org/support/users/allaboutmormons/)
 * (@allaboutmormons)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/vulnerability-cross-site-scripting-attacks/#post-8150699)
 * A slight improvement to my functions.php fix, in case it’s helpful:
 *     ```
       add_action('init', 'sanitize_post_data');
   
       function sanitize_post_data() {
           // Go through all most and sanitize it to prevent cross-site scripting attacks.
           foreach($_POST as $key=>$val) {
               if (!(is_array($val))) {
                   $_POST[$key] = htmlentities($val);
               }        
           }
       }
       ```
   
 * Prevents occasional PHP errors caused by other plugins/wordpress functions.
 *  Plugin Author [Chad Butler](https://wordpress.org/support/users/cbutlerjr/)
 * (@cbutlerjr)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/vulnerability-cross-site-scripting-attacks/#post-8165236)
 * Thanks for bringing this to my attention. In the future, it’s best to start by
   contacting me directly first. That will bring it to my attention quicker, and
   it gives us opportunity to provide an appropriate patch (if needed) and address
   it properly before it’s mentioned publicly.
 * I’ve evaluated this and have addressed it in the 3.1.5 release which is being
   finalized now.
 * > Some of the fields might have been modified to enable third-party javascript.
 * The primary issue here is actually not “some of the fields” but rather the email
   field specifically.
 * The plugin uses WP’s functions for handling form input. This generally amounts
   to [sanitizing input and escaping output](https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data).
   This process relies on a number of WP functions.
 * The username field is sanitized with [sanitize_user()](https://codex.wordpress.org/Function_Reference/sanitize_user).
   Text inputs are sanitized with [sanitize_text_field()](https://developer.wordpress.org/reference/functions/sanitize_text_field/).
   When the username is validated, that [validate_username()](https://codex.wordpress.org/Function_Reference/validate_username)
   also runs sanitize_user().
 * I’m not sure why the email was not being sanitized, but maybe that was overlooked
   thinking that [is_email()](https://codex.wordpress.org/Function_Reference/is_email)
   also sanitizes the input, but it actually does not.
 * So the update applies [sanitize_email()](https://codex.wordpress.org/Function_Reference/sanitize_email)
   to the email input and [esc_attr()](https://developer.wordpress.org/reference/functions/esc_attr/)
   to the value in the input field when it is displayed. (Actually, it also applies
   wp_unslash() to the value when displayed as well: esc_attr( wp_unslash( $value)),
   which is the same process as is handled on the wp-login.php registration.)
 * In going through this, there were some additional places I found that could be
   hardened, but the update includes some additional sanitizing and escaping of 
   input/output, such as on the output of checkboxes and hidden fields.
 * This will be included in 3.1.5, and you can view the specific changes relative
   to this issue here:
    [https://github.com/butlerblog/wp-members/commit/464e1dfa0e8062c6036246511102a5f139ad998c](https://github.com/butlerblog/wp-members/commit/464e1dfa0e8062c6036246511102a5f139ad998c)
    -  This reply was modified 9 years, 9 months ago by [Chad Butler](https://wordpress.org/support/users/cbutlerjr/).
      Reason: added links for functions mentioned
 *  Thread Starter [JDD](https://wordpress.org/support/users/allaboutmormons/)
 * (@allaboutmormons)
 * [9 years, 9 months ago](https://wordpress.org/support/topic/vulnerability-cross-site-scripting-attacks/#post-8166102)
 * Thanks for your speedy reply, Chad, and for making a great plugin. It occurred
   to me after I posted that I should have let you know privately. Feel free to 
   delete this message if you think it’s appropriate, though with the imminent fix
   perhaps that’s not necessary. All the best.
 *  Plugin Author [Chad Butler](https://wordpress.org/support/users/cbutlerjr/)
 * (@cbutlerjr)
 * [9 years, 8 months ago](https://wordpress.org/support/topic/vulnerability-cross-site-scripting-attacks/#post-8182854)
 * No problem!
 * These changes are incorporated into 3.1.5 and I’ve tested them out – things seem
   to check out there. There are some other changes that are not yet fully tested
   so that all needs to test out before release.
 * I expect to have 3.1.5 fully tested and scheduled for production release early
   next week (targeting Monday). In the meantime, the nightly builds will be available
   via GitHub:
 * [https://github.com/butlerblog/wp-members/](https://github.com/butlerblog/wp-members/)
 *  Plugin Author [Chad Butler](https://wordpress.org/support/users/cbutlerjr/)
 * (@cbutlerjr)
 * [9 years, 8 months ago](https://wordpress.org/support/topic/vulnerability-cross-site-scripting-attacks/#post-8202625)
 * 3.1.5 is now out as full production release and corrects this (and a couple of
   other) issues.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Vulnerability: Cross-Site Scripting attacks’ is closed to new replies.

 * ![](https://ps.w.org/wp-members/assets/icon-256x256.png?rev=1226414)
 * [WP-Members Membership Plugin](https://wordpress.org/plugins/wp-members/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-members/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-members/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-members/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-members/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-members/reviews/)

 * 5 replies
 * 2 participants
 * Last reply from: [Chad Butler](https://wordpress.org/support/users/cbutlerjr/)
 * Last activity: [9 years, 8 months ago](https://wordpress.org/support/topic/vulnerability-cross-site-scripting-attacks/#post-8202625)
 * Status: not resolved