[theme-reviewers] Simple-Blue-Dashed 1.0
chip at chipbennett.net
chip at chipbennett.net
Fri Jun 11 16:49:42 UTC 2010
> Security is a big item, themes mis-use any external data ($_GET,
> $_POST, $_REQUEST, $_COOKIE, $_SERVER) must be addressed, no two ways
> about it. Direct DB queries must properly escape data in the query
> (and if there is a WP function to do the same thing the direct DB
> query should be replaced with the function call). Those are the
> basic, *minimum* things that every theme needs to address security
> wise.
For those of us who are less-than-expert in the SQL aspects of theme
reviewing, can those who are more adept create a reasonably easy-to-follow
security checklist?
Or, maybe we should have some security-ninja theme reviewers, who can
focus on the security aspects of themes? If so, we could divy up the
review work, such that security concerns are handled separately - after
the theme is initially reviewed (and cleaned up, if necessary) based on
the "normal" criteria?
> Sometimes the theme author just isn't aware of specific functions or
> services in WordPress, so some hints and reference URLs for more info
> are helpful there.
Agreed. I tried to add in Codex references, where appropriate, in my first
review.
Speaking of which: the Theme Development Checklist entry in the Codex is
sorely in need of cross-referencing to Codex entries for functions,
template tags, and hooks/filters.
More information about the theme-reviewers
mailing list