On WordCamp Europe I attended the talk by Brad Williams on Writing Secure WordPress Code and I would like to make sure that I implement these tips in my own code.
In his presentation he gives the following example:
BAD:
<?php
$title = "<script> alert( 'Hello Europe!' );</script>";
?>
<h1><?php echo $title; ?></h1>
GOOD:
<?php
$title = "<script> alert( 'Hello Europe!' );</script>";
?>
<h1><?php echo esc_html( $title ); ?></h1>
Although I realise that this is a very simple example, my question is how – or perhaps more important when – would someone be able to add something like <script> alert( 'Hello Europe!' );</script>
in the first place?
Though I am no expert in XSS, I do know some of the ways someone can abuse these techniques.
For example, I was once pointed to the fact that visitors were able to execute javascript via the search field of a website, because the input of the search field didn’t get stripped of it’s html tags (like the example above actually does). This way, people were able to get valuable information about the server, by executing certain scripts via the search field.
As I said, I am no expert, so I don’t know what can actually be achieved through XSS. I do know you’re better of securing your website from the risk of finding out.
Apart from that, Google is your best friend.
I hope this was helpfull, good luck!