-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Change role with capabilities, update text and packages
- Loading branch information
1 parent
b7362fa
commit 1bfa90f
Showing
11 changed files
with
5,117 additions
and
9,987 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,28 +1,13 @@ | ||
| # Prevent XSS Vulnerability | ||
|
|
||
| This plugin provides the functionality for `Reflected XSS` and `Self-XSS` in | ||
| `WordPress`. | ||
| This WordPress plugin helps safeguard your website against two common types of Cross-Site Scripting (XSS) vulnerabilities: | ||
|
|
||
| For Reflected XSS, it checks the URL and redirects it if you enabled the `Enable Blocking` | ||
| option and URL contains any Vulnerable code in it. It only block some parameters which are | ||
| not allowed in URL and shown [here](#block-parameters). You can skip some of the | ||
| parameters from it if you still like them to be used. | ||
| - **Reflected XSS:** In Reflected XSS, malicious scripts are injected into the URL of a website. When a user clicks on a link containing this malicious script, it can be executed on their browser, potentially stealing their information or compromising their system. | ||
| - **Self-XSS:** This occurs when a user's own input on the website is reflected back to them in an insecure manner, allowing malicious scripts to be executed in their browser. | ||
|
|
||
| To provide more security, this plugin also escape the HTML in the `$_GET` | ||
| parameter which is commonly used to get parameters in PHP from the URL and | ||
| print them in the HTML. This way, HTML properties will not work if anyone | ||
| provided it in the URL. | ||
| This plugin provides several layers of protection: | ||
|
|
||
| There are many ways by which the plugin can be tested but it may varies for | ||
| different sites according to their structure and development functionality. | ||
|
|
||
| If you like to get help or have any query then please feel free to reach me at | ||
| [[email protected]](mailto:[email protected]). | ||
|
|
||
| ## Block Parameters | ||
|
|
||
| This plugin block the following parameters in the URL if enabled from the | ||
| Plugin Settings. | ||
| **Blocking:** When enabled, the plugin scans URLs for specific parameters. If any of the listed parameters are found in the URL, the plugin redirects the user to prevent potential XSS attacks. You can customize the list by excluding specific parameters you still want to allow. | ||
|
|
||
| | Symbol | Name | | ||
| |:------:|:----------------------:| | ||
|
|
@@ -35,13 +20,7 @@ Plugin Settings. | |
| | \| | Pipe or Vertical Bar | | ||
| | `}` | Closing Curly Bracket | | ||
|
|
||
| > :information_source: You can exclude any of the pre-defined parameter(s) or | ||
| > include any other parameter(s) from the Plugin Settings page. | ||
| ## Encode Parameters | ||
|
|
||
| This plugin encode the following parameters in the URL if enabled from the | ||
| Plugin Settings. | ||
| **Encoding:** For additional security, the plugin encodes certain characters within the URL parameters. This prevents malicious code from being executed even if it's included in the URL. You can also exclude specific parameters from being encoded. | ||
|
|
||
| | Symbol | Name | | ||
| |:------:|:----------------------:| | ||
|
|
@@ -61,25 +40,14 @@ Plugin Settings. | |
| | \| | Pipe or Vertical Bar | | ||
| | `}` | Closing Curly Bracket | | ||
|
|
||
| > :information_source: You can exclude any of the pre-defined parameter(s) to | ||
| > being encoded from the Plugin Settings page. | ||
| ## Escape HTML in `$_GET` Variable | ||
|
|
||
| This plugin escape HTML in `$_GET` variable. `$_GET` variable is mostly used | ||
| to put the values in HTML from the URL. This Check is quite useful if your site | ||
| using/getting anything from the URL and printing it in HTML. It secures your | ||
| Search and other sections as per your site functionality. | ||
| **Escaping HTML in `$_GET`:** This plugin automatically escapes HTML characters within the `$_GET` variable. This is crucial if your website retrieves data from URLs and displays it in the HTML content. This helps prevent malicious scripts from being injected through user-controlled input. | ||
|
|
||
| > :information_source: Make sure to check your forms after activating the plugin and if you | ||
| > have woocommerce site then please also check the cart and checkout process. | ||
| ### Important Notes: | ||
|
|
||
| ## Bug reports | ||
| * After activating the plugin, thoroughly test your website forms, especially if you use WooCommerce. Ensure the plugin doesn't disrupt your cart and checkout processes. | ||
| * Bug reports for this plugin are welcome on GitHub: [https://github.com/samiahmedsiddiqui/prevent-xss-vulnerability/issues](). Please note that GitHub is not a support forum, and only genuine bug reports will be addressed. | ||
|
|
||
| Bug reports for Prevent XSS Vulnerability are | ||
| [welcomed on GitHub](https://github.com/samiahmedsiddiqui/prevent-xss-vulnerability/issues). | ||
| Please note GitHub is not a support forum, and issues that aren't properly qualified as bugs | ||
| will be closed. | ||
| By implementing this plugin and following the recommendations, you can significantly enhance your website's security against XSS attacks. | ||
|
|
||
| ## Installation | ||
|
|
||
|
|
@@ -101,22 +69,20 @@ or Manually from FTP. | |
|
|
||
| ### After activation | ||
|
|
||
| 1. Navigate to the `Prevent XSS Vulnerability` page from the Admin Dashboard | ||
| 1. Navigate to the `Prevent XSS Vulnerability` page from the Admin Dashboard | ||
| 2. Make the changes as per your site functionality | ||
| 3. You're done! | ||
|
|
||
| ## Frequently Asked Questions | ||
|
|
||
| **Q. Why should I install this plugin?** | ||
|
|
||
| A. Installing this plugin is the easiest way to protect your site from XSS Vulnerability. | ||
| A. Installing this plugin is the easiest way to protect your site from XSS Vulnerabilities. | ||
|
|
||
| **Q. Does this plugin escape HTML in printing search?** | ||
|
|
||
| A. Yes, this plugin escape HTML in `$_GET` variable which is mostly use to print the data | ||
| from the URL to HTML. If your site is using `$_GET` then it is safe and the HTML will be | ||
| escaped otherwise you need to check. | ||
| A. Yes, this plugin escapes HTML in `$_GET` variable, which is commonly used to print data from the URL to HTML. However, if your site relies heavily on `$_GET` for other purposes, you may need to conduct thorough testing to ensure compatibility. | ||
|
|
||
| **Q. Does this plugin has any conflict with any other plugin?** | ||
| **Q. Does this plugin have any conflict with any other plugin?** | ||
|
|
||
| A. No, this plugin doesn't have any conflict with any plugin until now. | ||
| A. While no major conflicts have been reported, it's always a good practice to test your website thoroughly after installing any new plugin. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.