0
0
Wordpressframework~20 mins

XSS prevention in Wordpress - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
XSS Prevention Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
Understanding WordPress XSS Prevention Functions

Which WordPress function is specifically designed to escape HTML attributes to prevent XSS attacks?

Aesc_attr()
Bsanitize_text_field()
Cwp_kses_post()
Desc_html()
Attempts:
2 left
💡 Hint

Think about escaping values inside HTML tag attributes like title or alt.

component_behavior
intermediate
1:30remaining
Output Behavior with Different Escaping Functions

Given the user input <script>alert('XSS')</script>, which WordPress function will output the input safely as plain text on a page without executing the script?

Aecho esc_attr( $user_input );
Becho wp_kses_post( $user_input );
Cecho esc_html( $user_input );
Decho $user_input;
Attempts:
2 left
💡 Hint

Consider which function converts HTML tags to safe text so they show visibly instead of running.

📝 Syntax
advanced
2:00remaining
Correct Usage of wp_kses() for Custom Allowed Tags

Which option correctly uses wp_kses() to allow only <a> tags with href attributes in user content?

Awp_kses( $content, array( 'a' => array( 'href' => 'true' ) ) );
Bwp_kses( $content, array( 'a' => array( 'href' => true ) ) );
Cwp_kses( $content, array( 'a' => array( 'href' => 'allowed' ) ) );
Dwp_kses( $content, array( 'a' => array( 'href' => 1 ) ) );
Attempts:
2 left
💡 Hint

Check the correct data type for allowed attributes in wp_kses().

🔧 Debug
advanced
2:00remaining
Identifying XSS Vulnerability in WordPress Code

What is the main security issue in this WordPress snippet?

$user_input = $_POST['comment'];
echo "<p>User said: $user_input</p>";
Wordpress
$user_input = $_POST['comment'];
echo "<p>User said: $user_input</p>";
AThe code sanitizes input but does not escape output, causing XSS.
BThe code uses double quotes incorrectly causing syntax error.
CThe code properly escapes output, no XSS risk.
DThe code outputs raw user input without escaping, allowing XSS.
Attempts:
2 left
💡 Hint

Think about what happens if user input contains HTML or script tags.

state_output
expert
2:30remaining
Effect of Escaping Functions on Stored and Displayed Data

In WordPress, if you store user input with sanitize_text_field() and later display it with esc_html(), what is the expected behavior?

AUser input is cleaned on save and safely displayed as plain text, preventing XSS.
BUser input is escaped twice causing visible HTML entities in output.
CUser input is not cleaned and can cause XSS on display.
DUser input is sanitized but <code>esc_html()</code> causes syntax error on output.
Attempts:
2 left
💡 Hint

Consider the difference between sanitizing on input and escaping on output.