Prevent scripts in navigation buttons

In terms of website security, we can talk about the XSS attack. This type of attack relies on providing javascript code inside fields, to execute this code on-page. WPJobBoard covers such a situation and escapes all strings before displaying, so you will see all script tags in for example job title, instead of code that will be executed, so for this case, WPJobBoard is safe.

But, most themes use previous/next navigation buttons, on the bottom or top of the page, to navigate. Those buttons in most cases use post title as a link. Unfortunately, not all themes authors, escapes titles of those links. In this case, such a script may be executed, even if you do not use these buttons (some themes, only hide those buttons instead of not adding code at all).

If you do not know how to add snippets properly, take a look at our documentation file, where we explained how you can do this.

If your theme author let you down, and text is not escaped, we created a simple snippet, that will help you to protect your page.

add_filter( 'previous_post_link', 'filter_single_job_pagination', 10, 4);
add_filter( 'next_post_link', 'filter_single_job_pagination', 10, 4);

public function filter_single_job_pagination( $output, $format, $link, $post ) {

    if( get_post_type( $post ) != "job" ) {
       return $output;
    }

    $title = get_the_title($post);
    $url = get_permalink($post->ID);
    $class = '';
    $rel = 'prev';

    $title = esc_html( $title );

    if('next_post_link' === current_filter()){
       $rel = 'next';
       $title .= '<span class="meta-nav">&rarr;</span>';
    } else {
       $title = '<span class="meta-nav">&larr;</span>' . $title;
    }

    return "<a href='$url' rel='$rel' class='$class'>$title</a>"; 
}

Leave a Reply

Your email address will not be published.