<div dir="ltr">If i add 'capability' => 'unfiltered_html' then can i skip 'sanitize_callback' => 'prefix_sanitize_integer' ?<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Thu, Jan 30, 2014 at 10:04 PM, Rohit Tripathi <span dir="ltr"><<a href="mailto:rohitink@live.com" target="_blank">rohitink@live.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr">Thanks Koveshenin.<div><br></div><div>So, if I make the The option of Custom Js available only to users with unfiltered_html capability, then the themes are good to go, right?</div><div><br></div><div>
<br><br><div>> Date: Thu, 30 Jan 2014 20:19:39 +0400<br>> From: <a href="mailto:kovshenin@gmail.com" target="_blank">kovshenin@gmail.com</a><div><div class="h5"><br>> To: <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
> Subject: Re: [theme-reviewers] Why Rigorous Review of Theme Functional Files is Important<br>> <br>> > I have just allowed the <script> tag in the text area. Is the script tag not acceptable at all? Or should I create a New Field, derivate of Textfield, and allow <script> in that?<br>
> <br>> As Justin pointed out earlier, you should be checking whether the<br>> current user can publish unfiltered html, and only then show your<br>> custom js fields that allow script tags. Note that an some setups,<br>
> neither admins nor super admins have the unfiltered_html capability<br>> for security reasons.<br>> <br>> Also, in my opinion, Custom CSS and especially Custom JS should not be<br>> allowed in themes.<br>
> <br>> On Thu, Jan 30, 2014 at 8:14 PM, Chip Bennett <<a href="mailto:chip@chipbennett.net" target="_blank">chip@chipbennett.net</a>> wrote:<br>> > Speaking in general terms, any Theme option must be properly<br>
> > sanitized/validated on input, and escaped on output, as appropriate.<br>> > Specific sanitization/validation/escaping methods depend on the specific<br>> > data type.<br>> ><br>> ><br>> > On Thu, Jan 30, 2014 at 11:12 AM, Rohit Tripathi <<a href="mailto:rohitink@live.com" target="_blank">rohitink@live.com</a>> wrote:<br>
> >><br>> >> I Use options framework for my theme options. I have just allowed the<br>> >> <script> tag in the text area. Is the script tag not acceptable at all? Or<br>> >> should I create a New Field, derivate of Textfield, and allow <script> in<br>
> >> that?<br>> >><br>> >> Regards<br>> >><br>> >> ________________________________<br>> >> Date: Thu, 30 Jan 2014 11:01:22 -0500<br>> >><br>> >> From: <a href="mailto:chip@chipbennett.net" target="_blank">chip@chipbennett.net</a><br>
> >> To: <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>> >> Subject: Re: [theme-reviewers] Why Rigorous Review of Theme Functional<br>> >> Files is Important<br>
> >><br>> >> It's example code, to show that an arbitrary script can be executed. You<br>> >> didn't really expect me to put actually dangerous code there, did you? :)<br>> >><br>
> >><br>> >> On Thu, Jan 30, 2014 at 10:58 AM, Rohit Tripathi <<a href="mailto:rohitink@live.com" target="_blank">rohitink@live.com</a>><br>> >> wrote:<br>> >><br>> >> I am not sure, if asking this is lame. But, why is the entering<br>
> >> alert('text') in the header/footer codes area, being considered as an issue?<br>> >><br>> >> Regards<br>> >><br>> >> ________________________________<br>> >> Date: Thu, 30 Jan 2014 10:40:22 -0500<br>
> >> From: <a href="mailto:chip@chipbennett.net" target="_blank">chip@chipbennett.net</a><br>> >> To: <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
> >> Subject: Re: [theme-reviewers] Why Rigorous Review of Theme Functional<br>> >> Files is Important<br>> >><br>> >><br>> >> In many cases, the issue is the lack of inherent sanitization when using<br>
> >> the Theme Mods API with the Theme Customizer:<br>> >><br>> >> <a href="http://make.wordpress.org/themes/2014/01/30/using-the-theme-customizer-with-the-theme-mods-api/" target="_blank">http://make.wordpress.org/themes/2014/01/30/using-the-theme-customizer-with-the-theme-mods-api/</a><br>
> >><br>> >><br>> >> On Thu, Jan 30, 2014 at 10:21 AM, Justin Tadlock<br>> >> <<a href="mailto:justin@justintadlock.com" target="_blank">justin@justintadlock.com</a>> wrote:<br>> >><br>
> >> if ( !current_user_can( 'unfiltered_html' ) ) {<br>> >> /* Sanitize. */<br>> >> }<br>> >><br>> >> All theme reviewers should be intimately familiar with this page:<br>
> >> <a href="http://codex.wordpress.org/Data_Validation" target="_blank">http://codex.wordpress.org/Data_Validation</a><br>> >><br>> >><br>> >> On 1/30/2014 7:00 AM, Chip Bennett wrote:<br>
> >><br>> >> Good morning, all,<br>> >><br>> >> Just as a reminder why it is imperative that our reviews are thorough and<br>> >> complete, including a review of the Theme code and not merely a<br>
> >> Theme-Check/front-end review, I woke up this morning to several emails<br>> >> reporting various Theme security vulnerabilities. Here's a sampling:<br>> >><br>> >> To reproduce:<br>
> >><br>> >> 1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php<br>> >> 2. Activate the theme, navigate to Theme Options, add an image logo<br>> >> 3. In General Options - Logo Text, enter (as is, with quotes): "<br>
> >> onclick="javascript:alert(1);"<br>> >> 4. Visit the homepage, click on the logo, boom.<br>> >><br>> >> 5. In Slider Options, add a slider image and use the following for the<br>
> >> slider text: Foo bar <script>alert('baz');</script><br>> >> 6. Visit the home page, boom.<br>> >><br>> >><br>> >> To reproduce:<br>> >><br>> >> 1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php<br>
> >> 2. Activate the theme, go to Appearance - Theme Settings<br>> >> 3. In More Text enter: <script>alert('xss');</script><br>> >> 4. Visit the home page.<br>> >><br>
> >> (you will have to have at least one post with a <!--more--> tag<br>> >><br>> >> To reproduce:<br>> >><br>> >> 1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php<br>
> >> 2. Activate the Theme, navigate to Appearance - Theme<br>> >> Options - Social Netowrks Configuration<br>> >> 3. In Twitter URL enter: <a href="http://twitter.com/kovshenin" target="_blank">http://twitter.com/kovshenin</a>' onclick='alert(1);'<br>
> >> 4. Visit the home page and click the Twitter icon on the top right,<br>> >> ouch. Other URL fields affected too.<br>> >><br>> >> 5. In Layout Settings - Footer enter: <script>alert(123)</script><br>
> >> 6. Visit the front page, ouch<br>> >><br>> >> 7. In Advertise Settings, Header Banner Alternative: ' onclick='alert(1)'<br>> >> 8. Visit the front page and click the header banner, ouch<br>
> >><br>> >> 9. In Advertise Settings, Header Banner Link: <a href="http://foo.com" target="_blank">http://foo.com</a>'<br>> >> onclick='alert("bar")<br>> >> 10. Visit the front page and click the banner<br>
> >><br>> >> To reproduce:<br>> >><br>> >> 11. In Theme Options - Integration<br>> >> 12. For header code: <script>alert('wow');</script><br>> >> 13. Body code: <script>alert('seriously?')</script><br>
> >> 14. Visit the front page<br>> >><br>> >> To reproduce:<br>> >><br>> >> 15. in Theme Options - Colors, go to your browser JS console and<br>> >> enter: jQuery('#cwp_templates_topbar_colorid_color').val('blue;"<br>
> >> onclick="javascript:alert(123);')<br>> >> 16. Hit save changes, visit the front page<br>> >> 17. The top bar is blue, try and click it. Probably all the color<br>> >> fields in this theme are vulnerable to this.<br>
> >><br>> >><br>> >> That these issues are appearing is approved/live Themes is exactly the<br>> >> reason that it takes so long to get through the approved-Theme queue. We<br>> >> have to audit for these things, and the audits are turning into complete<br>
> >> re-reviews in several cases.<br>> >><br>> >> If you are uncomfortable with performing this level of review - first:<br>> >> don't worry. We've all been there. But the important thing is to ask for<br>
> >> help. We have a team of 100 people, most/all of whom would be more than<br>> >> happy to lend a hand. We've all learned from each other. Post a comment<br>> >> in-ticket, or post to the mail-list, and ask for guidance. Especially when<br>
> >> it comes to Theme options, Theme code can get quite complex and often<br>> >> difficult to follow. Understanding how the Settings API works sometimes<br>> >> seems like it requires a master's degree. And developers all have different<br>
> >> coding styles. It's completely understandable if someone needs a second pair<br>> >> of eyes when reviewing a given Theme. So please: ask for help if you need it<br>> >> when reviewing.<br>
> >><br>> >><br>> >> _______________________________________________<br>> >> theme-reviewers mailing list<br>> >> <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
> >> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>> >><br>> >><br>> >><br>> >> _______________________________________________<br>
> >> theme-reviewers mailing list<br>> >> <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>> >> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
> >><br>> >><br>> >><br>> >> _______________________________________________ theme-reviewers mailing<br>> >> list <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
> >> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>> >><br>> >> _______________________________________________<br>
> >> theme-reviewers mailing list<br>> >> <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>> >> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
> >><br>> >><br>> >><br>> >> _______________________________________________ theme-reviewers mailing<br>> >> list <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
> >> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>> >><br>> >> _______________________________________________<br>
> >> theme-reviewers mailing list<br>> >> <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>> >> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
> >><br>> ><br>> ><br>> > _______________________________________________<br>> > theme-reviewers mailing list<br>> > <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
> > <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>> ><br>> <br>> <br>> <br>> -- <br>> Konstantin<br>
> _______________________________________________<br>> theme-reviewers mailing list<br>> <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
</div></div></div></div> </div></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>