Prevent XSS Vulnerability

Description

This plugin provides the functionality for Reflected XSS and Self-XSS.

For Reflected XSS, it checks the URL and redirects it if you enabled the Enable Blocking option and URL contains any Vulnerable code in it. It only block some parameters which are not allowed in URL and shown Block Parameters section. You can skip some of the parameters from it if you still like them to be used.

To provide more security, Prevent XSS Vulnerability also escape the HTML in the $_GET parameter which is commonly used to get parameters in PHP from the URL and print them in the HTML. This way, HTML properties will not work if anyone provided it in the URL.

There are many ways by which the plugin can be tested but it may varies for differnet sites according to their structure and development functionality.

Block Parameters

Prevent XSS Vulnerability block the following parameters in the URL if enabled from the Plugin Settings.

  • Opening Round Bracket (
  • Closing Round Bracket )
  • Less than Sign <
  • Greater than Sign >
  • Opening Square Bracket [
  • Closing Square Bracket ]
  • Opening Curly Bracket {
  • Pipe or Vertical Bar |
  • Closing Curly Bracket }

Encode Parameters

Prevent XSS Vulnerability endcode the following parameters in the URL if enabled from the Plugin Settings.

  • Exclamation Mark !
  • Double Quotation "
  • Single Quotation '
  • Opening Round Bracket (
  • Closing Round Bracket )
  • Asterik Sign *
  • Less than Sign <
  • Greater than Sign >
  • Grave Accent “`
  • Cap Sign ^
  • Opening Square Bracket [
  • Closing Square Bracket ]
  • Opening Curly Bracket {
  • Pipe or Vertical Bar |
  • Closing Curly Bracket }

Escape HTML in `$_GET` Variable

Prevent XSS Vulnerability escape HTML in $_GET variable. $_GET variable is mostly used to put the values in HTML from the URL. This Check is quite useful if your site using/getting anything from the URL and printing it in HTML. It secures your Search and other sections as per your site functionality.

NOTE: MAKE SURE TO CHECK YOUR FORMS AFTER ACTIVATING THE PLUGIN AND IF YOU HAVE WOOCOMMERCE SITE THEN PLEASE ALSO CHECK THE CART AND CHECKOUT PROCESS.

Bug reports

Bug reports for Prevent XSS Vulnerability are welcomed on GitHub. Please note GitHub is not a support forum, and issues that aren’t properly qualified as bugs will be closed.

Screenshots

  • It removes the parameters from the URL which are used in XSS Attack and redirects the user (Recommended).

  • It encodes the parameters from the URL which are used in XSS Attack.

  • It escapes the HTML from the $_GET PHP variable which is mostly used to read the data from the URL (Recommended).

  • Add the message in developer console for the user to alert about the XSS attack.

  • Show message in developer console to alert user about the Self-XSS attack. This meesage can be customized from the settings page.

Installation

This process defines you the steps to follow either you are installing through WordPress or Manually from FTP.

From within WordPress

  1. Visit ‘Plugins > Add New’
  2. Search for Prevent XSS Vulnerability
  3. Activate Prevent XSS Vulnerability from your Plugins page.
  4. Go to “after activation” below.

Manually

  1. Upload the prevent-xss-vulnerability folder to the /wp-content/plugins/ directory
  2. Activate Prevent XSS Vulnerability through the “Plugins” menu in WordPress
  3. Go to “after activation” below.

After activation

  1. Navigate to Reflected XSS Settings under the Prevent XSS Vulnerability from the Admin Dashboard
  2. Make the changes as per your site functionality
  3. You’re done!

FAQ

Q. Why should I install this plugin?

A. Installing this plugin is the easiest way to prevent your site from XSS Vulnerability.

Q. Does this plugin escape HTML in priting search?

A. Yes, this plugin escape HTML in $_GET varaible which is mostly use to print the data from the URL to HTML. If your site is using $_GET then it is safe and the HTML will be escaped otherwise you need to check.

Q. Does this plugin has any conflict with anyother plugin?

A. No, this plugin doesn’t have any conflict with any plugin.

Reviews

March 14, 2018
After running a full site scan using Acunetix and receiving hundreds of XSS alerts, this great little plugin secured the site. Bear in mind we have the free versions of Wordfence and iThemes Security installed, we incorrectly assumed that was enough... I'm not sure why this plugin isn't used, or reviewed more. Thank you!
Read all 2 reviews

Contributors & Developers

“Prevent XSS Vulnerability” is open source software. The following people have contributed to this plugin.

Contributors

“Prevent XSS Vulnerability” has been translated into 1 locale. Thank you to the translators for their contributions.

Translate “Prevent XSS Vulnerability” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

0.3.5 – May 14, 19

  • Fixing issue with update_option

0.3.4 – May 11, 19

  • Added wp_kses to make the textarea messages more secure

0.3.3 – Apr 08, 19

  • Added wp_kses to make the warning message secure

0.3.2 – Mar 21, 19

  • Added Upgrade Notice above the Self XSS

0.3.1 – Mar 19, 19

  • Enhancements
    • Changing function name to be more generic for Self-XSS Functionality

0.3.0 – Mar 14, 19

  • Enhancements
    • Added Self-XSS Functionality
  • Bugs
    • Fixed wrong protocol issue on redirecting URL

0.2.1 – Feb 27, 19

  • Bugs
    • Used Absolute URL to redirect instead of Relative URL to avoid site redirecting issues

0.2 – Dec 02, 18

  • Enhancements
    • Added Escaped HTML Feature in $_GET variable
    • Optimized Function to have better performance

0.1 – Aug 24, 17

  • First release on WordPress.org.