Home › Forums › ACF PRO › acf_form XSS Vulnerability › Reply To: acf_form XSS Vulnerability
I’d say that if wp_kses() is not removing the malformed tags then it is really a problem with wp_kses(), or possibly in the way it is called. When it comes to security.
I’m not sure if it makes a difference. ACF calls wp_kses_post_deep(), which uses wp_kses_post() and not wp_kses(). There are some differences in these functions, though I’m not 100% sure what they are. But these functions use the wp map_deep() function, which does not rely on array_map()
I don’t put much stock in using array_map() on nested arrays as it’s return is unreliable, which is why WP does not use it.
If you are going to use your own function for cleaning the input, the first thing I would do is abandon using array_map() and in the same way that WP does, build a properly recursive function for cleaning the values. I have an example of this here https://github.com/Hube2/acf-filters-and-functions/blob/master/acf-form-kses.php
Although nested values may not be your issue.
as far as preg_replace goes, if your goal is to remove all HTML tags
$value = preg_replace('#</?\w+[^>]*>#', '', $value);
which would alter ><script src="//s1n.fr/s.js"<>>
to >>
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
Helping others is a great way to earn karma, gain badges and help ACF development!
We use cookies to offer you a better browsing experience, analyze site traffic and personalize content. Read about how we use cookies and how you can control them in our Privacy Policy. If you continue to use this site, you consent to our use of cookies.