Thankfully XSS vulnerabilities are also very easy to recognize. If you include this code in a Word Press plugin, publish it and your plugin becomes popular, you can have no doubt that a security analyst will at some point contact you reporting this vulnerability.
Fixing this vulnerability is easy by validating input and sanitizing and escaping output. We now only allow a small subset of characters in the guestbook.
Even though we don’t allow HTML tags, we run the data through PHP’s filter_var() function with the FILTER_SANITIZE_STRING filter to sanitize the string which will strip out any tags that might slip through due to a bug in our code.
FILTER_SANITIZE_STRING actually removes any tags it finds.
Then, when we output each record in the guestbook, we use filter_var with the FILTER_SANITIZE_FULL_SPECIAL_CHARS filter which does not strip out tags, but it escapes them if they are present.