I've got a client whose website I produced with Wordpress. It features a contact page produced with contact page 7. This client is really a subsidiary of the bigger organization who's IT department runs scans on their own subdomains. The requested my client to safeguard Contact Page 7 from malicious scripts or go lower.

After I requested a good example of the things they examined, my client informed me they run tests to ascertain if a script might be placed right into a input (ie: <script>alert('hello');</script>) area or like a url string (ie: www.mydomain.com/contact?<script>alert('hello');</script>).

Using the query string, the contact page sets the experience to: action="/?scriptalert('hello');/script#wpcf7-f1-p6-o1". My first question could be, will this harm anything because the "<" and ">" continues to be taken off the string?

If that's the case, can there be anything I'm able to increase remove the potential of running scripts within this contact page?

HTML Encoding is an excellent method to avoid any HTML/JS from taking effect. It's wise to scribe any user-provided value before exhibiting it within the page.

See http://ca3.php.net/manual/en/function.htmlentities.php