[theme-reviewers] Guidance on theme security
Andrew Nacin
wp at andrewnacin.com
Sat Oct 16 18:22:07 UTC 2010
On Sat, Oct 16, 2010 at 12:08 PM, Gene Robinson <emhr at submersible.me> wrote:
> Hi,
>
> I don't in any way claim to be an expert in theme security. I am wondering
> what are the basic requirements and or recommendations for reviews. I'm
> finding the use of non-ssl capable functions get_option('home') and
> get_option('site_url') in links and the lack of wp_nonce_field() and
> check_admin_referrer() in theme options.
get_option('home') and get_option('siteurl') should *not* be used in themes.
I believe the guidelines say so.
bloginfo('url') (home URL) and bloginfo('wpurl') (site URL) are okay, as
they simply call home_url() and site_url() respectively.
The lack of nonce and referrer checks are also a huge concern. Much more
than lack of SSL support.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20101016/115e37e7/attachment.htm>
More information about the theme-reviewers
mailing list