Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on WordPress.

  1. Use WordPress escaping functions before outputting any dynamic data:

    • esc_html() — for HTML content
    • esc_attr() — for HTML attributes
    • esc_url() — for URLs
    • esc_js() — for inline JavaScript
    • wp_kses() / wp_kses_post() — for HTML that must allow some tags

  2. Never echo raw $_GET or $_POST values. Always sanitise with sanitize_text_field() and escape on output.

Back to top