<div dir="ltr">It's example code, to show that an arbitrary script can be executed. You didn't really expect me to put actually dangerous code there, did you? :)</div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Thu, Jan 30, 2014 at 10:58 AM, Rohit Tripathi <span dir="ltr"><<a href="mailto:rohitink@live.com" target="_blank">rohitink@live.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div><div dir="ltr">I am not sure, if asking this is lame. But, why is the entering <b>alert('text')</b> in the header/footer codes area, being considered as an issue?<div><br></div><div>Regards<br><br><div><hr>Date: Thu, 30 Jan 2014 10:40:22 -0500<br>
From: <a href="mailto:chip@chipbennett.net" target="_blank">chip@chipbennett.net</a><br>To: <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>Subject: Re: [theme-reviewers] Why Rigorous Review of Theme Functional Files is Important<div>
<div class="h5"><br><br><div dir="ltr">In many cases, the issue is the lack of inherent sanitization when using the Theme Mods API with the Theme Customizer:<div><a href="http://make.wordpress.org/themes/2014/01/30/using-the-theme-customizer-with-the-theme-mods-api/" target="_blank">http://make.wordpress.org/themes/2014/01/30/using-the-theme-customizer-with-the-theme-mods-api/</a><br>

</div></div><div><br><br><div>On Thu, Jan 30, 2014 at 10:21 AM, Justin Tadlock <span dir="ltr"><<a href="mailto:justin@justintadlock.com" target="_blank">justin@justintadlock.com</a>></span> wrote:<br>
<blockquote style="border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div>
    if ( !current_user_can( 'unfiltered_html' ) ) {<br>
        /* Sanitize. */<br>
    }<br>
    <br>
    All theme reviewers should be intimately familiar with this page:<br>
    <a href="http://codex.wordpress.org/Data_Validation" target="_blank">http://codex.wordpress.org/Data_Validation</a><div><div><br>
    <br>
    <div>On 1/30/2014 7:00 AM, Chip Bennett
      wrote:<br>
    </div>
    </div></div><blockquote><div><div>
      <div dir="ltr">Good morning, all,
        <div><br>
        </div>
        <div>Just as a reminder why it is imperative that our reviews
          are thorough and complete, including a review of the Theme
          code and not merely a Theme-Check/front-end review, I woke up
          this morning to several emails reporting various Theme
          security vulnerabilities. Here's a sampling:</div>
        <div><br>
        </div>
        <blockquote style="border:none;padding:0px">
          <div>
            <div>To reproduce:</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to
              wp-config.php</div>
          </div>
          <div>
            <div>2. Activate the theme, navigate to Theme Options, add
              an image logo</div>
          </div>
          <div>
            <div>3. In General Options - Logo Text, enter (as is, with
              quotes): "</div>
          </div>
          <div>
            <div>onclick=<a>"javascript:alert(1);"</a></div>
          </div>
          <div>
            <div>4. Visit the homepage, click on the logo, boom.</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>5. In Slider Options, add a slider image and use the
              following for the</div>
          </div>
          <div>
            <div>slider text: Foo bar
              <script>alert('baz');</script></div>
          </div>
          <div>
            <div>6. Visit the home page, boom.</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>To reproduce:</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to
              wp-config.php</div>
          </div>
          <div>
            <div>2. Activate the theme, go to Appearance - Theme
              Settings</div>
          </div>
          <div>
            <div>3. In More Text enter:
              <script>alert('xss');</script></div>
          </div>
          <div>
            <div>4. Visit the home page.</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>(you will have to have at least one post with a
              <!--more--> tag</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>To reproduce:</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to
              wp-config.php</div>
          </div>
          <div>
            <div>2. Activate the Theme, navigate to Appearance - Theme</div>
          </div>
          <div>
            <div>Options - Social Netowrks Configuration</div>
          </div>
          <div>
            <div>3. In Twitter URL enter: <a href="http://twitter.com/kovshenin" target="_blank">http://twitter.com/kovshenin</a>'
              onclick='alert(1);'</div>
          </div>
          <div>
            <div>4. Visit the home page and click the Twitter icon on
              the top right,</div>
          </div>
          <div>
            <div>ouch. Other URL fields affected too.</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>5. In Layout Settings - Footer enter:
              <script>alert(123)</script></div>
          </div>
          <div>
            <div>6. Visit the front page, ouch</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>7. In Advertise Settings, Header Banner Alternative: '
              onclick='alert(1)'</div>
          </div>
          <div>
            <div>8. Visit the front page and click the header banner,
              ouch</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>9. In Advertise Settings, Header Banner Link: <a href="http://foo.com" target="_blank">http://foo.com</a>'</div>
          </div>
          <div>
            <div>onclick='alert("bar")</div>
          </div>
          <div>
            <div>10. Visit the front page and click the banner</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>To reproduce:</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>11. In Theme Options - Integration</div>
          </div>
          <div>
            <div>12. For header code:
              <script>alert('wow');</script></div>
          </div>
          <div>
            <div>13. Body code:
              <script>alert('seriously?')</script></div>
          </div>
          <div>
            <div>14. Visit the front page</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>To reproduce:</div>
          </div>
          <div>
            <div><br>
            </div>
          </div>
          <div>
            <div>15. in Theme Options - Colors, go to your browser JS
              console and</div>
          </div>
          <div>
            <div>enter:
              jQuery('#cwp_templates_topbar_colorid_color').val('blue;"</div>
          </div>
          <div>
            <div>onclick="<a>javascript:alert(123);')</a></div>
          </div>
          <div>
            <div>16. Hit save changes, visit the front page</div>
          </div>
          <div>
            <div>17. The top bar is blue, try and click it. Probably all
              the color</div>
          </div>
          <div>
            <div>fields in this theme are vulnerable to this.</div>
          </div>
        </blockquote>
        <div><br>
        </div>
        <div>That these issues are appearing is approved/live Themes is
          exactly the reason that it takes so long to get through the
          approved-Theme queue. We have to audit for these things, and
          the audits are turning into complete re-reviews in several
          cases.</div>
        <div><br>
        </div>
        <div>If you are uncomfortable with performing this level of
          review - first: don't worry. We've all been there. <b>But the
            important thing is to ask for help.</b> We have a team of
          100 people, most/all of whom would be more than happy to lend
          a hand. We've all learned from each other. Post a comment
          in-ticket, or post to the mail-list, and ask for guidance.
          Especially when it comes to Theme options, Theme code can get
          quite complex and often difficult to follow. Understanding how
          the Settings API works sometimes seems like it requires a
          master's degree. And developers all have different coding
          styles. It's completely understandable if someone needs a
          second pair of eyes when reviewing a given Theme. So please:
          ask for help if you need it when reviewing.</div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      </div></div><div><pre>_______________________________________________
theme-reviewers mailing list
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a>
</pre>
    </div></blockquote>
    <br>
  </div>

<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________
theme-reviewers mailing list
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a></div></div></div></div>                                     </div></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>