<p>In a nutshell, what are the security measures that should be implemented in an options page? All that I can think of right now are nonce and user capability check. Do we really need to check for user input? Considering that the function update_option already sanitise the inputs before updating the database...</p>
<p>--<br>
Regards,<br>
Syahir Hakim</p>
<p>Contact:<br>
<a href="http://www.khairul-syahir.com">http://www.khairul-syahir.com</a><br>
+64210333649</p>
<p><blockquote type="cite">On 21/10/2010 5:39 AM, "Gene Robinson" <<a href="mailto:emhr@submersible.me">emhr@submersible.me</a>> wrote:<br><br>There is a definite need for more quality tutorials on security with respect to theme development. I am seeing a staggering number of tutorials for options pages many of which appear to not account security.<br>
<br>
Look at these results. A plethora of top tens and relevant tutorials vs. 51 results from a rare combinations of terms.<br>
<br>
<a href="http://www.google.com/search?q=wordpress+theme+options+tutorial+-nonce+-check_admin_referer+-current_user_can" target="_blank">http://www.google.com/search?q=wordpress+theme+options+tutorial+-nonce+-check_admin_referer+-current_user_can</a><br>
<br>
<a href="http://www.google.com/search?q=wordpress+theme+options+tutorial+nonce+check_admin_referer+current_user_can" target="_blank">http://www.google.com/search?q=wordpress+theme+options+tutorial+nonce+check_admin_referer+current_user_can</a><br>
<br>
Even Automattic recently promoted the shared release of an insecure options page:<br>
<a href="http://publisherblog.automattic.com/2010/10/01/cheezcap-custom-wp-admin-panels/" target="_blank">http://publisherblog.automattic.com/2010/10/01/cheezcap-custom-wp-admin-panels/</a><br>
<br>
As a community, we appear not to have caught up with the enhancements to security in the core. There is much room for improvement in this area.<br>
<font color="#888888"><br>
-Gene<br>
</font><p><font color="#500050">_______________________________________________<br>theme-reviewers mailing list<br>theme-reviewers@lists.w...</font></p></blockquote></p>