Recentrly we developred a custom theme for our Wordpress website,
and I've used native comment Wordpress system that the code is something like below.
the question is how could we protect comment form from xss attack? it seems that scripts like <script>alert('hi');</script> runs simply on comments form.
any idea?
thank you.
<section>
<main>
<div class="comment-area">
<h2 class="comment-title -pb-20">
number of comments: <span><?php echo get_comments_number(); ?></span>
</h2>
<div class="comment-form">
<h3>Insert you comment here please.</h3>
<?php
$arg = array(
'title_reply' => '',
'comment_notes_before' => '',
'label_submit' => 'submmit',
);
comment_form($arg);
?>
</div>
<?php if (have_comments()) : ?>
<div class="comment-list">
<h1>all comments</h1>
<ul>
<?php
$args = array(
'style' => 'ul',
'callback' => null,
'end-callback' => null,
'type' => 'comment',
'reply_text' => 'reply',
'page' => '',
'per_page' => '',
'avatar_size' => 32,
'reverse_top_level' => true,
'reverse_children' => '',
'format' => 'html5',
'echo' => true,
);
wp_list_comments($args);
?>
</ul>
</div>
<div class="comments-pagination">
<?php if(get_comment_pages_count() > 1 && get_option('page_comments')) : ?>
<div>
<?php previous_comments_link('prev'); ?>
</div>
<div>
<?php next_comments_link('next'); ?>
</div>
<?php endif; ?>
</div><!-- .comments-pagination -->
<?php endif; ?>
</div>
</main>
</section>
add_filter( 'comment_text', 'sanitize_comment' );
function sanitize_comment( $comment_text ) {
$comment_text = sanitize_text_field($comment_text);
return $comment_text;
}