XSS Prevention using PHP. This contains a working example of XSS exploit in a popular wordpress theme, and how to prevent XSS attacks with PHP

Cross-Site Scripting or XSS is still for some developers seems to be the redheaded step child of security hacks.  I’ve talked with several plugin developers and theme developers and they all seem not to care.  While in this article I’m not going to show you why it’s so dangerous I will just show you how to prevent XSS on server side with PHP and real-life examples.

Let’s take the Connections Wordpress Theme and show you the vulnerability.

Open the theme directory

Open search.php in the connections folder and search for the following,

(it appears twice on search.php)

The above is particularly a problem because it’s taking the “raw” input of s which in Wordpress is the search variable almost everyone uses.  Then it puts it directly into the execution space for Javascript which can cause multitude of other problems.  Here is just an example that is the tip of iceberg.

XSS demo on connections theme original site

You can only imagine what can be done from here.  Something like window.location=’nastypornsite’ then sent to Google for mega-indexing can really ruin a webmasters day.  How to prevent the nastiness, is actually rather simple.  Here are the same lines fixed for XSS prevention, using strip_tags()

I have of course informed the developer but I also hope that this helps people better understand the issues concerned with XSS.   I will admit it wasn’t until today I saw a lame attempt at XSS in my logs that I realized this blog was vulnerable.  Of course every connections theme out there on the internet is vulnerable as well, and perhaps a crafty person might be able to chase down every owner of a connection theme and …  inform them of the problem.  But maybe that is asking too much.

Relative Links