Improving Defence Against XSS

[elliotcondon]

Cross-site scripting or XSS is one of the most popular vulnerabilities among WordPress Core, Plugins and Themes. This vulnerability is best though of as a missing "filter" in the PHP pipeline when displaying user-generated content, which can allow unauthorized JavaScript code to be executed on a website.

If you're interested in learning more about XSS, I found this article to be very helpful: Cross Site Scripting (XSS) Attack Tutorial with Examples, Types & Prevention

Luckily, WordPress provide an arsenal of tools to help defend against XSS such as the many esc_xxx() functions in combination with wp_kses(), which help strip out or encode HTML tags, and prevent a browser from executing the potentially dangerous HTML.

At ACF, we're constantly making improvements to combat XSS and are excited to announce a new opt-in feature is available for testing. This feature is currently considered "experimental" whilst we encourage developers such as yourself to enable, test and report back with real world results. So how does it work and what will it do?

Once enabled, all user-generated content displayed within Advanced Custom Fields such as Field labels and instructions will be passed through the wp_kses() function with a context of "acf". As a result, inline <script> and <iframe> tags will be removed along with potentially dangerous attributes (mimicing WP core behavior). Note: script tags are already removed by default.

It is important to note the scope of this improvement. This will not effect Field values loaded through API functions such as get_field() and the_field(). We don't make any assumptions about where you are using your Field values within your theme and do not apply escaping to them as a result.

The custom context of "acf" will allow for 3rd party customization of the allowed HTML tags and attributes - which there are a lot of: XSS Filter Evasion Cheat Sheet.

How to test

To help test our improved XSS defence, please update to the latest version of ACF (5.9.6+) and add the following line of code to your wp-config.php file:

define( 'ACF_EXPERIMENTAL_ESC_HTML', true );

Then, simply go about your web developing business and report back with a 👍 or 👎. If you do come across an issue, please let us know in the comments below.

How to extend

By using a custom context, it is possible to customize the allowed HTML tags and attributes for ACF user-generated content without affecting other parts of your WordPress website. For example, if you wish to enable support for <iframe> elements within Field instructions, the following snippet could be used within the functions.php file:

add_filter( 'wp_kses_allowed_html', function( $tags, $context ){
    if( $context === 'acf' ) {
        $tags['iframe'] = array(
            'src'             => true,
            'height'          => true,
            'width'           => true,
            'frameborder'     => true,
            'allowfullscreen' => true,
        );
    }
    return $tags;
}, 10, 2 );

It is my absolute pleasure to be implementing this improvement to the plugin and thank you all for your help!

Thanks Elliot

[CreativeDive]

@elliotcondon currently the download of 5.9.6 at https://www.advancedcustomfields.com/my-account/view-licenses/ is not available :-)

[elliotcondon]

Caching. All fixed now.

[CreativeDive]

@elliotcondon Thank you. Ready for testing now :-)

[mattgrshaw]

Closing since this has been implemented in 5.10.