The $truncate example you give, IMHO, should be replaced entirely with get_the_excerpt(). It appears to be purely a reinvention of the post-excerpt wheel.<div><br></div><div>I assume you're going to point out all the issues with the Theme's options implementation (the first thing that jumps out is that the Theme is not using a single array to store its options)?</div>
<div><br></div><div>I don't think that stripslashes() is sufficient here:</div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><div><span class="Apple-style-span" style="font-family: 'Times New Roman'; font-size: medium; "><pre style="word-wrap: break-word; white-space: pre-wrap; ">
<?php echo stripslashes( get_option('tt_google_analytics') ); ?></pre></span></div></blockquote><div>This should be an esc_js() or esc_html() or whatever, as appropriate for the data being output. </div><div>
<br></div><div>A data validation/sanitization/escaping blog post is on my to-do list. I just haven't had the time yet. I would *strongly* recommend this presentation by Mark Jaquith:</div><div><a href="http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/">http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/</a></div>
<div><br></div><div>(Any blog post I write will be consistent with what Mark presents - and IMHO, if Mark Jaquith presents it as recommended practice, then I would take that recommendation as a best practice.)</div><div><br>
</div><div>Chip</div><div><br><div class="gmail_quote">On Thu, Aug 11, 2011 at 8:06 AM, Mario Peshev <span dir="ltr"><<a href="mailto:mario@peshev.net">mario@peshev.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hi Chip, <div><br></div><div>The most common example is using stripslashes (sample here <a href="http://themes.svn.wordpress.org/ttblog/1.0.2/header.php" target="_blank">http://themes.svn.wordpress.org/ttblog/1.0.2/header.php</a>), also, the functions.php of the same theme uses:</div>
<div><br></div><div><span style="font-family:'Times New Roman';font-size:medium"><pre style="word-wrap:break-word;white-space:pre-wrap">$truncate = preg_replace('@<script[^>]*?>.*?</script>@si', '', $truncate);</pre>
</span></div><div>I think this could also be handled (or maybe not), there are trim, htmlentities and similar functions used in themes. I am interested in functions such as wp_kses - <a href="http://codex.wordpress.org/Function_Reference/wp_kses" target="_blank">http://codex.wordpress.org/Function_Reference/wp_kses</a> - as they seem multifunctional to me. I was wondering if any of you has posted the 'formatting and security best practices and top functions' or something like this compared to plain PHP solutions.<br>
<br>Thanks in advance. :)</div><div><div class="im"><br>Mario Peshev<br>freelance software developer/trainer<br><a href="http://www.linkedin.com/in/mpeshev" target="_blank">http://www.linkedin.com/in/mpeshev</a><br><a href="http://peshev.net/blog" target="_blank">http://peshev.net/blog</a><br>
<br>
<br><br></div><div><div></div><div class="h5"><div class="gmail_quote">On Thu, Aug 11, 2011 at 3:57 PM, Chip Bennett <span dir="ltr"><<a href="mailto:chip@chipbennett.net" target="_blank">chip@chipbennett.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Mario,<div><br></div><div>The only "dummy" question is the one that remains unasked. :)</div><div><br></div><div>Can you provide a more specific example? Perhaps a ticket or something, that uses the function(s) in question?</div>
<div><br></div><div>In general, though, IMHO, it is *always* preferable to use a core WP function for content filtering and/or untrusted data sanitization/validation.</div><div><br></div><div>Chip<br><br><div class="gmail_quote">
<div><div></div><div>
On Thu, Aug 11, 2011 at 7:53 AM, Mario Peshev <span dir="ltr"><<a href="mailto:mario@peshev.net" target="_blank">mario@peshev.net</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div></div><div>
Hello Reviewers,<div><br></div><div>I'm not that well acquainted with security in PHP and WP so it might be a bit dummy question, but I have tough time following the parsing and formatting practices in WP themes. Since there is a Formatting section in WP function list - <a href="http://codex.wordpress.org/Function_Reference#Formatting_Functions" target="_blank">http://codex.wordpress.org/Function_Reference#Formatting_Functions</a> , and some of the functions seem pretty similar to the same function names in PHP, what is the rule and is it required for the WP functions to be used instead, are they always better than plain PHPs?<br clear="all">
<font color="#888888">
<br>Mario Peshev<br>freelance software developer/trainer<br><a href="http://www.linkedin.com/in/mpeshev" target="_blank">http://www.linkedin.com/in/mpeshev</a><br><a href="http://peshev.net/blog" target="_blank">http://peshev.net/blog</a><br>
<br>
</font></div>
<br></div></div>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>