[theme-reviewers] Why Rigorous Review of Theme Functional Files is Important
Otto
otto at ottodestruct.com
Thu Jan 30 16:32:15 UTC 2014
On Thu, Jan 30, 2014 at 10:19 AM, Konstantin Kovshenin
<kovshenin at gmail.com>wrote:
> > I have just allowed the <script> tag in the text area. Is the script
> tag not acceptable at all? Or should I create a New Field, derivate of
> Textfield, and allow <script> in that?
>
> As Justin pointed out earlier, you should be checking whether the
> current user can publish unfiltered html, and only then show your
> custom js fields that allow script tags. Note that an some setups,
> neither admins nor super admins have the unfiltered_html capability
> for security reasons.
>
> Also, in my opinion, Custom CSS and especially Custom JS should not be
> allowed in themes.
>
If you're using the Theme Customizer, then a lot of this is pretty easy to
deal with.
For example, if you wanted to check for that, you could add 'capability' =>
'unfiltered_html' to the args in the add_setting() call. Then the
associated control simply wouldn't show up for people who lacked that
capability.
-Otto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140130/b7319b8d/attachment.html>
More information about the theme-reviewers
mailing list