Modify WP_QUERY class to sanitize search query input to prevent XSS injection.

Hi @sakirbeg,

Could you provide a search term with XSS injection so I can reproduce this issue? This sounds like something that needs to be fixed in core WordPress, and I might be able to submit a fix.

Just for clarification, we are facing this issue on our own site created using wordpress,
Search Term: ‘”–></style></scRipt><scRipt>alert(0x03BF8B)</scRipt>

While going through the theme code which we are using i found the search form is using get_search_query() method which as per wordpress is sanitized, although we were able to inject the js code into the search bar. And while going through the wordpress code we found its related to WP_QUERY class.

Hence needed help regarding this if there’s a way to fix this at the wordpress end.

Let me know if you need any other info.

Thanks for the clarifications. I just tested the search term you provided on a fresh install of wordpress-develop and cannot reproduce the issue, so this could be specific to the theme you’re using.

The steps I followed were:

1. Start wordpress-develop local environment (instructions)
2. Go to https://localhost:8889 in the browser
3. Enter --></style></scRipt>alert(0x03BF8B)</scRipt> as the search term and click Search button
4. Browser navigates to https://localhost:8889/?s=--%3E%3C%2Fstyle%3E%3C%2FscRipt%3E%3CscRipt%3Ealert%280x03BF8B%29%3C%2FscRipt%3E
5. The alert does not show

In your site does this procedure result in the alert being shown?

Could it be that get_search_query() is being called with the $escaped parameter set to false ?

$escaped: Whether the result is escaped. Default true. Only use when you are later escaping it. Do not use unescaped.

Yeah, you are right, It seems the issue is with the theme we are using. Could you help me understand how exactly search form is created in custom themes and how can we prevent XSS injection.

I could find search.php under theme/p-xel (name of the theme) folder but it had following code to use blog.php

`<?php</p> <p>/*</p> <p>Template Name: Search results</p> <p>*/</p> <p>get_template_part(‘blog’);</p> <p>?>`

I think its using blog.php to generate the search results page, but i am not sure where is it actually posting the search term to generate WP_QUERY to search for post and where exactly we have to sanitize the input.

Let me know if you need any information.

In a vanilla WordPress install, the search flow is as follows:

1. User enters search term into the search input and clicks Search
2. Browser goes to https://example.com/s=abc, where abc is the search term
3. WordPress receives the request and parses the search term
4. WordPress calls search.php on the the active theme
5. search.php renders the search results page, and can call the_search_query() or get_search_query() (display or return the search term, respectively). Some more info.

For both these functions, the docs say: “The search query string is passed through esc_attr() to ensure that it is safe for placing in an HTML attribute”.

In your case, if I understood correctly, the theme’s search.php is calling the blog template_part, which you should be able to find at theme-name/template-parts/blog.php.

If blog.php is making use of the_search_query() or get_search_query(), then the search term should be correctly escaped. But since they aren’t, blog.php must be doing something else.

If you place a var_dump(get_search_query()) in blog.php, what does it output?

Read through blog.php it’s not making use of the_search_query() or get_search_query(), but get_search_query() is being used in multiple files as follows
1. themes/theme-name/shortcodes/trx_optional/search.php
2. themes/theme-name/no-search.php
3. themes/theme-name/searchform.php
After going through all the three files i found search.php contains shortcode implementation of the search form but even that is using get_search_query() method with escaped flag enabled, Not sure why its not escaping.

• This reply was modified 1 year, 10 months ago by sakirbeg.

Even searchform.php uses get_search_query() and a form is declared in the file but i tried changing value in the form it does not change anything on the site.

Searchform.php for reference

<form role="search" method="get" class="search_form" action="<?php echo esc_url(home_url('/')); ?>"><input type="text" class="search_field" placeholder="<?php esc_attr_e('Search', 'p-xel'); ?>" value="<?php echo get_search_query(); ?>" name="s" title="<?php esc_attr_e('Search for:', 'p-xel'); ?>" /><button type="submit" class="search_button icon-search7" href="#"></button>
</form>

Would it be possible for you to provide a link to the site so I could take a look?

What I would do to debug this issue would be to comment out all the calls to get_search_query() or the_search_query() in the theme code, and see if the problem persists, then uncomment one by one to identify the problematic one.

If the changes you make aren’t being reflected on the site, maybe there’s some caching going on, so probably that would need to be figured out first. If you’re using a caching plugin, typically being logged-in should result in no caching.

• This reply was modified 1 year, 10 months ago by Paulo Pinto. Reason: Mentioned caching plugins should not matter when logged in

Apologies, As this site is internal to our organization i was check with the security team regarding sharing the URL.

Thanks a lot for the suggestion, Will debug the issue and update.