Title: Gary Pendergast – Make WordPress Plugins --- # Author Archives: 󠀁[Gary Pendergast](https://profiles.wordpress.org/pento/)󠁿 [ ](https://profiles.wordpress.org/pento/) [Gary Pendergast](https://profiles.wordpress.org/pento/) 4:12 am _on_ September 8, 2016 Tags: testing    # 󠀁[WP_Hook: Next Generation Actions and Filters](https://make.wordpress.org/plugins/2016/09/08/wp_hook-next-generation-actions-and-filters/)󠁿 WordPress 4.7 will contain a significant re-architecture of how hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same. work. Please read the post on make/coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. for the full details, and test your plugins! > [WP_Hook: Next Generation Actions and Filters](https://make.wordpress.org/core/2016/09/08/wp_hook-next-generation-actions-and-filters/) [#testing](https://make.wordpress.org/plugins/tag/testing/) [ ](https://profiles.wordpress.org/pento/) [Gary Pendergast](https://profiles.wordpress.org/pento/) 5:00 pm _on_ April 20, 2015 Tags: [security ( 15 )](https://make.wordpress.org/plugins/tag/security/) # 󠀁[Fixing add_query_arg() and remove_query_arg() usage](https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/)󠁿 _Background: Due to a now-fixed ambiguity in the documentation for the `[add\_query\_arg()](https://developer.wordpress.org/reference/functions/add_query_arg/)` and `[remove\_query\_arg()](https://developer.wordpress.org/reference/functions/remove_query_arg/)` functions, many plugins were using them incorrectly, allowing for potential XSS attack vectors in their code._ Both `add_query_arg()` and `remove_query_arg()` have an optional argument to define the base query string to use. If this argument is undefined, it will use `$_SERVER[' REQUEST_URI']`, which is unescaped. When printed out to a page, this could be used as an XSS attack vector. The easiest way to fix this in your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory [https://wordpress.org/plugins/](https://wordpress.org/plugins/) or can be cost-based plugin from a third-party. is to escape the output of `add_query_arg()` and `remove_query_arg()`. When it’s being printed to a page (for example as a link), you should use `[esc_url()](https://developer.wordpress.org/reference/functions/esc_url/)`. When it’s being used in HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. headers or as part of a HTTP request( for example, as part of a location redirect headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. or in a `[wp_remote_get()](https://developer.wordpress.org/reference/functions/wp_remote_get/)` call), you should use `[esc_url_raw()](https://developer.wordpress.org/reference/functions/esc_url_raw/)`. _Edit by Ipstenu: Also read [Sucuri’s reasonable disclosure on the matter](https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html). Many plugins have been patched and auto-updated in a massive coordinated effort to stem this one before it gets nasty._ [#security](https://make.wordpress.org/plugins/tag/security/)