<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
if ( !current_user_can( 'unfiltered_html' ) ) {<br>
/* Sanitize. */<br>
}<br>
<br>
All theme reviewers should be intimately familiar with this page:<br>
<a class="moz-txt-link-freetext" href="http://codex.wordpress.org/Data_Validation">http://codex.wordpress.org/Data_Validation</a><br>
<br>
<div class="moz-cite-prefix">On 1/30/2014 7:00 AM, Chip Bennett
wrote:<br>
</div>
<blockquote
cite="mid:CAPdLKqdx5gizeVzc6HF+GNeKeNi9F4vZ_0BzGFqssELw6EuLug@mail.gmail.com"
type="cite">
<div dir="ltr">Good morning, all,
<div><br>
</div>
<div>Just as a reminder why it is imperative that our reviews
are thorough and complete, including a review of the Theme
code and not merely a Theme-Check/front-end review, I woke up
this morning to several emails reporting various Theme
security vulnerabilities. Here's a sampling:</div>
<div><br>
</div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>
<div>To reproduce:</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to
wp-config.php</div>
</div>
<div>
<div>2. Activate the theme, navigate to Theme Options, add
an image logo</div>
</div>
<div>
<div>3. In General Options - Logo Text, enter (as is, with
quotes): "</div>
</div>
<div>
<div>onclick=<a class="moz-txt-link-rfc2396E" href="javascript:alert(1);">"javascript:alert(1);"</a></div>
</div>
<div>
<div>4. Visit the homepage, click on the logo, boom.</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>5. In Slider Options, add a slider image and use the
following for the</div>
</div>
<div>
<div>slider text: Foo bar
<script>alert('baz');</script></div>
</div>
<div>
<div>6. Visit the home page, boom.</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>To reproduce:</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to
wp-config.php</div>
</div>
<div>
<div>2. Activate the theme, go to Appearance - Theme
Settings</div>
</div>
<div>
<div>3. In More Text enter:
<script>alert('xss');</script></div>
</div>
<div>
<div>4. Visit the home page.</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>(you will have to have at least one post with a
<!--more--> tag</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>To reproduce:</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to
wp-config.php</div>
</div>
<div>
<div>2. Activate the Theme, navigate to Appearance - Theme</div>
</div>
<div>
<div>Options - Social Netowrks Configuration</div>
</div>
<div>
<div>3. In Twitter URL enter: <a moz-do-not-send="true"
href="http://twitter.com/kovshenin">http://twitter.com/kovshenin</a>'
onclick='alert(1);'</div>
</div>
<div>
<div>4. Visit the home page and click the Twitter icon on
the top right,</div>
</div>
<div>
<div>ouch. Other URL fields affected too.</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>5. In Layout Settings - Footer enter:
<script>alert(123)</script></div>
</div>
<div>
<div>6. Visit the front page, ouch</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>7. In Advertise Settings, Header Banner Alternative: '
onclick='alert(1)'</div>
</div>
<div>
<div>8. Visit the front page and click the header banner,
ouch</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>9. In Advertise Settings, Header Banner Link: <a
moz-do-not-send="true" href="http://foo.com">http://foo.com</a>'</div>
</div>
<div>
<div>onclick='alert("bar")</div>
</div>
<div>
<div>10. Visit the front page and click the banner</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>To reproduce:</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>11. In Theme Options - Integration</div>
</div>
<div>
<div>12. For header code:
<script>alert('wow');</script></div>
</div>
<div>
<div>13. Body code:
<script>alert('seriously?')</script></div>
</div>
<div>
<div>14. Visit the front page</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>To reproduce:</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div>15. in Theme Options - Colors, go to your browser JS
console and</div>
</div>
<div>
<div>enter:
jQuery('#cwp_templates_topbar_colorid_color').val('blue;"</div>
</div>
<div>
<div>onclick="<a class="moz-txt-link-freetext" href="javascript:alert(123);')">javascript:alert(123);')</a></div>
</div>
<div>
<div>16. Hit save changes, visit the front page</div>
</div>
<div>
<div>17. The top bar is blue, try and click it. Probably all
the color</div>
</div>
<div>
<div>fields in this theme are vulnerable to this.</div>
</div>
</blockquote>
<div><br>
</div>
<div>That these issues are appearing is approved/live Themes is
exactly the reason that it takes so long to get through the
approved-Theme queue. We have to audit for these things, and
the audits are turning into complete re-reviews in several
cases.</div>
<div><br>
</div>
<div>If you are uncomfortable with performing this level of
review - first: don't worry. We've all been there. <b>But the
important thing is to ask for help.</b> We have a team of
100 people, most/all of whom would be more than happy to lend
a hand. We've all learned from each other. Post a comment
in-ticket, or post to the mail-list, and ask for guidance.
Especially when it comes to Theme options, Theme code can get
quite complex and often difficult to follow. Understanding how
the Settings API works sometimes seems like it requires a
master's degree. And developers all have different coding
styles. It's completely understandable if someone needs a
second pair of eyes when reviewing a given Theme. So please:
ask for help if you need it when reviewing.</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
theme-reviewers mailing list
<a class="moz-txt-link-abbreviated" href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a>
<a class="moz-txt-link-freetext" href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a>
</pre>
</blockquote>
<br>
</body>
</html>