Validating ajax search

Is there a way to prevent user from entering script tag to the form?

Yes, escaping. It is one of the fundamental cornerstones of web security, and completely missing from the code in the question.

Take this example:

<a href="<?php echo $foo; ?>">

How do we know it’s actually a URL? Your colleague has said it should be a URL, but do we really know for sure? What if we got hacked?

Escaping allows us to guarantee it will always be a URL. Even if $foo contains javascript code, a phone number, PI to 300 digits, doesn’t matter. Escaping enforces expectations, even if the result is broken and mangled, it’s guaranteed to be a URL.

<a href="<?php echo esc_url( $foo ); ?>">

Now we can rest safely assured that nothing can break out of the href attribute, that the anchor tag won’t be used to insert arbitrary HTML. It might contain a malicious URL, but it will always be a URL ( http://img%20src=x%20onerror=alert(test) ).

Escape right at the moment of output or as close as is possible.

There are lots of other escaping functions provided by WordPress and by PHP, each appropriate for different situations, such as plaintext, numbers, etc

Related Posts:

  1. How to include code only on specific pages?
  2. Disabled plugins are they security holes – rumor or reality?
  3. What could a hacker do with my wp-config.php
  4. Should we use plugins that aren’t available from the official WordPress site?
  5. Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
  6. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  7. Disabled plugins are security holes – rumor or reality?
  8. Why is the unrendered widget number `__i__` showing up in the JavaScript but not in the HTML?
  9. How to Reload the Dashboard After Clicking Update in Quick-Edit?
  10. Ajax call doesn’t work in frontend but it’s working in backend (when I’m logged in)
  11. Prevent Brute Force Attack
  12. White text on white background in TinyMCE when wp_editor is called in WP 3.9
  13. What’s the best plugin for allowing javascript in a post or page? [closed]
  14. Is it possible to filter the wp_footer() scripts, read the content, and insert them inline?
  15. How can I make the “Preview Post” button save and preview in the same window?
  16. When is it useful to use wp_verify_nonce
  17. Disable / Deregister all JS from all plugins
  18. Has anyone used require.js for handling plugin scripts?
  19. Passing RichText attributes to function onChange
  20. javascript onload calling a function of a plugin
  21. Weird problems after recovery from security breach
  22. How can we deal with unmaintained plugins with vulnerabilities?
  23. Escape when echoed
  24. Preventing BFA in WordPress without using a plugin
  25. JQuery not working in my plugin [closed]
  26. How can I make uploaded images in the editor load with HTTPS?
  27. How to load plugin after page is loaded – pagespeed issues
  28. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  29. WordPress filter that hook after each action/filter hook
  30. How to disable specific plugin in mobile version?
  31. Updating the Drag-To-Share eXtended share URLs?
  32. add image crop function like in wp customizer
  33. Calculate price and display on woocommerce product single page under price (simple price, variable price) [closed]
  34. How to edit content before post update
  35. wp.media javascript issue with on select
  36. Why can’t I access my Intranet LDAPS with NADI?
  37. WordPress + JavaScipt + AJAX + MySQL: insert query for form
  38. Advanced AJAX Page Loader ignores other JS code
  39. accessing wp.media api from a tinymce plugin
  40. How to load wp_editor via AJAX
  41. Stop Plugin Enumeration [closed]
  42. WordPress 3.8.3. custom theme – sliders won’t load js/css files
  43. Hack-Proof OR Security in WordPress — is it real?
  44. Redirect to another page using contact form 7? [closed]
  45. Security and Must Use Plugins
  46. Is Timthumb still broken? What security measures should be taken?
  47. JavaScript in a PHP plugin
  48. Is it safe to use admin-ajax.php in the frontend?
  49. How do I add some javascript validation to the admin interface form’s onsubmit?
  50. Specific way to allow WordPress users to view their current password? And edit it?
  51. How to prevent plugins from sniffing/stealing other plugins’ options?
  52. How to generate an all in one WordPress New content, plugin and theme update report on a website? [closed]
  53. How use wp media upload liberary in react components?
  54. How to use custom Javascript code inside a plugin?
  55. JQuery needs to be defined in , but Gravity Forms is defining it in the
  56. Executing Javascript in Plugin
  57. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  58. What’s the default setting for including a in a post
  59. WP Insert Post If user refreshes override new post
  60. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  61. Code for unique user visit count on every page WordPress
  62. WordPress search shows protected content
  63. Set Button in PluginDocumentSettingPanel Content (WordPress Gutenberg)
  64. Can I disable xml-rpc by setting it to false?
  65. Upload Javascript and json webpage to wordpress
  66. Help to Create a Simple Plugin to make a post
  67. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  68. Fixed: Console.log twice in the edit function
  69. Javascript embedded disappears for editors
  70. Trouble with AJAX using GET
  71. How can I create a secure file download in WordPress?
  72. front end editor creation for Restropress plug in – displaying information from a WP admin area, on a different URL
  73. WordPress site hamburger menu toggle not working
  74. How to get Angular app working in WordPress plugin?
  75. Custom Field used to allow a Free Story; no longer works
  76. Create a form and have custom menu display based on user answers?
  77. “Fire Secure” menu item
  78. https rewrite not working for All in one security Brute force > rename login url
  79. Enabling plugin on specific pages and subpages
  80. how to send two forms with one click (script ninjaforms id)
  81. How to print shortcode with js in visual composer?
  82. Link in navigation menu send user to different page if mobile?
  83. How to limit each front-end user to view just his own uploaded files on Amazon S3?
  84. Need to hide an element depending on date and post category
  85. using .htaccess only for wordpress security no plugins
  86. contact 7 plugin stops some pages from working properly
  87. Can’t insert files in other inputs
  88. Is it possible to run javascript on plugin deactivated?
  89. How do I output user_registered time in my correct timezone?
  90. Ajax in Plugins: returns the whole page
  91. How to tweak a plugin without preventing it from updating
  92. Defer parsing of JavaScript [duplicate]
  93. How do I put a word-press blog into my static site without installing wordpress on server?
  94. How I can hide my wp folders from Inspect Element (Developer Tools)
  95. How to Find WordPress site has backdoor login Codes
  96. How to delete Password Protected posts cookies when a user logged out from the site
  97. how to embed a crop feature for cropping images uploaded by the user
  98. Beginner question: Accessing js script in plugin
  99. Select posts from list and add them in a new list
  100. Stop the user if login from the cookies