Soft Rejected: (XSS) "Application is insecure"

Hi. My script rejected with reason below:

  • Application is insecure.

And the reviewer sent me photo of XSS vulnerability. There is no XSS vulnerability on user-side, it is only in admin-side.

There are “Extra Header/Footer”, “Ad Code” fields and “Blog Post Content” (wysiwyg editor) field in my admin panel.
For example, admin user enters Adsense code to “Ad Code” field. Adsense gives us javascript code. That’s why I don’t check XSS in these fields.

What should I do?

you should to take care XSS vulnerability for both front end and back end. your full script should be secure from XSS attack.

1 Like

@mgscoder Thank you for answer. But as I said, it is necessary to add javascript code when adding Adsense/Analytics.

(As far as I know) It’s not possible to detect whether a javascript code is harmful.

if add then you have to make sure the js code is secure. what your script doing when adding js code it is saving into DB or doing something in front end witht he code, right? so, you have to take care XSS vulnerability. otherwise the victim’s browser can executes the malicious script.

I think it’s most likely the reviewer is correct and you have a design error.

Share some relevant code and what the reviewer highlighted and I’m happy to take a look, and think of some possible solutions.

@WebWizardsDev Hey, thanks for answer.


As you can see, javascript is required for some ad networks. So I don’t check XSS in this input field. If I check, required script code will be deleted.

I don’t fully understand the context and the vulnerability. But generally, my suggestion is just take the path of least resistance. Instead of arguing with the reviewer, I suggest:

  1. use esc_html, sanitize_textarea_field, sanitize_text_field etc. to satisfy the Envato Reviewer’s requirements.
  2. Deconstruct the javascript, for example replace " < script > " with * scripttagstart * and * scripttagend *
  3. Then in the frontend, you can replace * scripttagstart * with < script > again.

Please have your script as sanitized in the way as mentioned from reviewer’s side. Once it’s been sanitized submit again and it will definitely be approved. Simply just don’t loose hope. All you need to do is rectify and update the code if again after the second attempt it’s not approved …,. update again

Code for an ad banner is not XSS. You don’t need to sanitize that.

You said the reviewer sent you a photo of an XSS vulnerability. Can you share that photo with us?