I am trying to write a short plugin that will filter html characters from the search form. In the event someone enters in <script>alert('some infectious js!');</script>
into the search form i want to remove the possibility of this command to be entered into the search form.
I tried this:
function SearchFilter( $query ) {
if ( is_search() ) {
$query = strip_tags($query);
return;
}
}
add_action ('pre_get_posts', 'SearchFilter');
When I go to test it, i enter <script>alert('some infectious js!');</script>
above into the search field and all I get is a blank white page in wordpress. The search still works but anytime i type in script it breaks the box. This seems odd that wordpress doesn’t handle this by default OR am i totally wrong on this?
Thanks in advance.
WP does handle that case already, the script will never be executed, because the function
the_search_query()
will return its output escaped.Escaping this prior to the actual search would break searching in code. If you blog about script injections your visitors should be able to search for that.
Update
Here is one of my older plugins. It enables searching in escaped code and breaks the search for unescaped
<
,&
or>
. Unfortunately, it has some side effects when it is used together with search plugins like Relevanssi or Search Unleashed.Might be a start if you want to touch the search string early enough.