I have a client whose website I created with WordPress. It has a contact form created with contact form 7. This client is a subsidiary of a larger organization who’s IT department runs scans on their subdomains. The asked my client to protect Contact Form 7 from malicious scripts or take it down.
When I asked for an example of what they tested, my client informed me that they run tests to see if a script could be inserted into a input (ie: <script>alert('hello');</script>) field or as a url string (ie: www.mydomain.com/contact?<script>alert('hello');</script>).
With the query string, the contact form sets the action to: action="/?scriptalert('hello');/script#wpcf7-f1-p6-o1". My first question would be, will this harm anything since the “<” and “>” has been removed from the string?
If so, is there anything I can add to remove the possibility of running scripts in this contact form?
HTML Encoding is one way to prevent any HTML/JS from taking effect. It’s a good idea to encode any user-supplied value before displaying it in the page.
See http://ca3.php.net/manual/en/function.htmlentities.php