This plugin provides the functionality for Reflected XSS and Self-XSS.
This plugin provides the functionality for Reflected XSS
and Self-XSS
.
For Reflected XSS, it checks the URL and redirects it if you enabled the Enable Blocking
option and URL contains any Vulnerable code in it. It only block some parameters which are not allowed in URL and shown Block Parameters section. You can skip some of the parameters from it if you still like them to be used.
To provide more security, this plugin also escape the HTML in the $_GET
parameter which is commonly used to get parameters in PHP from the URL and print them in the HTML. This way, HTML properties will not work if anyone provided it in the URL.
There are many ways by which the plugin can be tested but it may varies for different sites according to their structure and development functionality.
This plugin block the following parameters in the URL if enabled from the Plugin Settings page.
(
)
<
>
[
]
{
|
}
You can exclude any of the pre-defined parameter(s) or include any other parameter(s) from the Plugin Settings page.
This plugin encode the following parameters in the URL if enabled from the Plugin Settings page.
!
"
'
(
)
*
<
>
^
[
]
{
|
}
You can exclude any of the pre-defined parameter(s) to being encoded from the Plugin Settings page.
This plugin escape HTML in $_GET
variable. $_GET
variable is mostly used to put the values in HTML from the URL. This Check is quite useful if your site using/getting anything from the URL and printing it in HTML. It secures your Search and other sections as per your site functionality.
NOTE: Make sure to check your forms after activating the plugin and if you have woocommerce site then please also check the cart and checkout process.
Bug reports for Prevent XSS Vulnerability
are welcomed on GitHub. Please note GitHub is not a support forum, and issues that aren’t properly qualified as bugs will be closed.
This process defines you the steps to follow either you are installing through WordPress or Manually from FTP.
From within WordPress
Manually
prevent-xss-vulnerability
folder to the /wp-content/plugins/
directoryAfter activation
Prevent XSS Vulnerability
page from the Admin DashboardIt removes the parameters from the URL which are used in XSS Attack and redirects the user (Recommended).
It encodes the parameters from the URL which are used in XSS Attack.
It escapes the HTML from the $_GET
PHP variable which is mostly used to read the data from the URL (Recommended).
Add the message in developer console for the user to alert about the XSS attack.
Show message in developer console to alert user about the Self-XSS attack. This message can be customized from the settings page.
A. Installing this plugin is the easiest way to prevent your site from XSS Vulnerability.
A. Yes, this plugin escape HTML in $_GET
variable which is mostly use to print the data from the URL to HTML. If your site is using $_GET
then it is safe and the HTML will be escaped otherwise you need to check.
A. No, this plugin doesn’t have any conflict with any plugin.
Bug
Enhancements
* Include other/extra parameters
* Fixed WPCS issues