WordFence locked me for XSS using plugin

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author John Havlik

    (@mtekk)

    Wordfence is likely being way too restrictive. It sounds like it is miss-identifying the HTML in the breadcrumb templates as a script. This is likely a false-positive. If you want, you can check the breadcrumb template values against the defaults:

    Un-linked default: <span property="itemListElement" typeof="ListItem"><span property="name" class="%type%">%htitle%</span><meta property="url" content="%link%"><meta property="position" content="%position%"></span>

    Linked default: <span property="itemListElement" typeof="ListItem"><a property="item" typeof="WebPage" title="Go to %title%" href="%link%" class="%type%" bcn-aria-current><span property="name">%htitle%</span></a><meta property="position" content="%position%"></span>

    An additional note, Breadcrumb NavXT runs all settings that can contain HTML through wp_kses to ensure only a small valid subset of HTML tags and attributes are allowed to actually be saved to the database or presented to users (scripts are not allowed).

    Thread Starter Jim

    (@jwmc)

    Yes, matches defaults. Good to know, thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WordFence locked me for XSS using plugin’ is closed to new replies.