This plugin provides the functionality for Reflected XSS and Self-XSS in
WordPress.
For Reflected XSS, it checks the URL and redirects it if you enabled the Enable Blocking
option and URL contains any Vulnerable code in it. It only block some parameters which are
not allowed in URL and shown here. You can skip some of the
parameters from it if you still like them to be used.
To provide more security, this plugin also escape the HTML in the $_GET
parameter which is commonly used to get parameters in PHP from the URL and
print them in the HTML. This way, HTML properties will not work if anyone
provided it in the URL.
There are many ways by which the plugin can be tested but it may varies for different sites according to their structure and development functionality.
If you like to get help or have any query then please feel free to reach me at sami.siddiqui@yasglobal.com.
This plugin block the following parameters in the URL if enabled from the Plugin Settings.
| Symbol | Name |
|---|---|
( |
Opening Round Bracket |
< |
Less than Sign |
> |
Greater than Sign |
[ |
Opening Square Bracket |
] |
Closing Square Bracket |
{ |
Opening Curly Bracket |
| | | Pipe or Vertical Bar |
} |
Closing Curly Bracket |
ℹ️ You can exclude any of the pre-defined parameter(s) or include any other parameter(s) from the Plugin Settings page.
This plugin encode the following parameters in the URL if enabled from the Plugin Settings.
| Symbol | Name |
|---|---|
! |
Exclamation Mark |
" |
Double Quotation |
' |
Single Quotation |
( |
Opening Round Bracket |
) |
Closing Round Bracket |
* |
Asterisk Sign |
< |
Less than Sign |
> |
Greater than Sign |
| ` | Grave Accent |
^ |
Cap Sign |
[ |
Opening Square Bracket |
] |
Closing Square Bracket |
{ |
Opening Curly Bracket |
| | | Pipe or Vertical Bar |
} |
Closing Curly Bracket |
ℹ️ You can exclude any of the pre-defined parameter(s) to being encoded from the Plugin Settings page.
This plugin escape HTML in $_GET variable. $_GET variable is mostly used
to put the values in HTML from the URL. This Check is quite useful if your site
using/getting anything from the URL and printing it in HTML. It secures your
Search and other sections as per your site functionality.
ℹ️ Make sure to check your forms after activating the plugin and if you have woocommerce site then please also check the cart and checkout process.
Bug reports for Prevent XSS Vulnerability are welcomed on GitHub. Please note GitHub is not a support forum, and issues that aren't properly qualified as bugs will be closed.
This process defines you the steps to follow either you are installing through WordPress or Manually from FTP.
- Visit 'Plugins > Add New'
- Search for
Prevent XSS Vulnerability - Activate
Prevent XSS Vulnerabilityfrom your Plugins page. - Go to after activation below.
- Upload the
prevent-xss-vulnerabilityfolder to the/wp-content/plugins/directory - Activate Prevent XSS Vulnerability through the 'Plugins' menu in WordPress
- Go to after activation below.
- Navigate to the
Prevent XSS Vulnerabilitypage from the Admin Dashboard - Make the changes as per your site functionality
- You're done!
Q. Why should I install this plugin?
A. Installing this plugin is the easiest way to protect your site from XSS Vulnerability.
Q. Does this plugin escape HTML in printing search?
A. Yes, this plugin escape HTML in $_GET variable which is mostly use to print the data
from the URL to HTML. If your site is using $_GET then it is safe and the HTML will be
escaped otherwise you need to check.
Q. Does this plugin has any conflict with any other plugin?
A. No, this plugin doesn't have any conflict with any plugin until now.