Exploring XSS in sanitize_text_field of WordPress. It is suppose method to protect about it.

Yeah, it is second post that we speak about sanitize_text_field, some thing is wrong with method or with it say that do. In WordPress documentation say “Sanitizes a string from user input or from the database.” It is suppose that this method save of a Xss Attack, your name is “sanitize text filed”.

The last post we told that this method no protect you when have attacks using path traversal. You can check here.

We have real example of plugin that use sanitize in attribute of tag. And result is that we can broke this method.

Real example:

update_option('wpdb_dropbbox_dir', sanitize_text_field($_POST['wpdb_dropbbox_dir'])

But if put this in field with sanitize_text_field we can broke with this.

" onmouseover=javascript:alert(1); test="

In this code we put command when people set mouse pointer in field, execute command alert.


Before malicious code:

<input type="text" id="wpdb_dest_amazon_s3_bucket" class="form-control" name="wpdb_dest_amazon_s3_bucket" value="test" size="25" placeholder="Buket name" >

After malicious code:

<input type="text" id="wpdb_dest_amazon_s3_bucket" class="form-control" name="wpdb_dest_amazon_s3_bucket" value="\" onmouseover="javascript:alert(1);" \"="" test="\""" size="25" placeholder="Buket name" >

But, why we can do this?

In another post I explain about this specify real case.

But the real problem is that he do many verification but just if the user put ‘<‘ in your request.

But I don’t need put ‘<‘ to do success attack.

The code understand that he will sanitize when we try create a new tag, but I don’t need create a new tag to have success XSS. I can change the actual tag and we can do this.

Look this code in file wp-includes/formatting.php of WordPress Core:

if( strpos( $filtered, '<') !== false ) {
$filtered = wp_pre_kses_less_than( $filtered );
  // This will strip extra whitespace for us.
   $filtered = wp_strip_all_tags( $filtered, false );
  // Use html entities in a special case to make sure no later
  // newline stripping stage could lead to a functional tag
   $filtered = str_replace( "<\n", "<\n", $filtered );

wp_strip_all_tags is a magic method that sanitize special string but just if you have ‘<‘ in your input data.

What the big problem?

The WordPress and many post recommend developers the use him, but you can see in this post and the last one that not save all.

In numbers us exist around 10161 plugins that use sanitize_text_field with method called around 25551 times.

So, by day is just hacking. In next post we will show, how you can protect and the real case.

See you =)

Leave a Reply

Your email address will not be published. Required fields are marked *