## Sanitize get_query_var() url parameters

Question

I am currently working on a site and testing its security. One of the pages has a sort feature where I pass a url parameter on how I would like the content sorted.

For example:

www.example.com/page/?sort=alpha


This works fine, but I tried to send malicious code as well:

www.example.com/page/?sort=alpha%3Cimg+src=xyz+onerror=alert(99)%3E%3Cxss/%3E


In internet explorer when I enter this url my page shows up and a javascript alert pops up, thus I was able to execute some code on the page. Inside of Chrome I get the message that the XSS auditor has blocked this execution, but I rather it never even be attempted to run. From what I can see, this parameter is accepted in my header.php file under Sort : <?= get_query_var('sort') ?>.

I want to sanitize this input so that it will never execute such a script, how can I do this?

0
3 years 2019-10-26T03:45:10-05:00 0 Answers 222 views 0