<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Yes, I will be Santizing the Input and also make it available to users with unfiltered_html capability. But, the <b>alert(123)</b> is still going to work. So, now the security is no longer the responsibility of the theme author, right. The admin can enter whatever they want, right?<br><br><div>> Date: Thu, 30 Jan 2014 20:40:33 +0400<br>> From: kovshenin@gmail.com<br>> To: theme-reviewers@lists.wordpress.org<br>> Subject: Re: [theme-reviewers] Why Rigorous Review of Theme Functional Files is Important<br>> <br>> > So, if I make the The option of Custom Js available only to users with unfiltered_html capability, then the themes are good to go, right?<br>> <br>> That would make the theme more secure, yes, but ultimately it's up to<br>> the reviewers and the guidelines on whether it's good to go or not.<br>> <br>> Again, my opinion is that Custom CSS and Custom JS are plugin<br>> territory, which would stop theme authors from reinventing the wheel.<br>> It would also mean that reviewers will spend less time auditing theme<br>> code. And it would also mean that there's less risk of insecure code<br>> ending up in the themes directory. Right, let's dump it all in the<br>> plugins directory :)<br>> <br>> On Thu, Jan 30, 2014 at 8:34 PM, Rohit Tripathi <rohitink@live.com> wrote:<br>> > Thanks Koveshenin.<br>> ><br>> > So, if I make the The option of Custom Js available only to users with<br>> > unfiltered_html capability, then the themes are good to go, right?<br>> ><br>> ><br>> ><br>> >> Date: Thu, 30 Jan 2014 20:19:39 +0400<br>> >> From: kovshenin@gmail.com<br>> ><br>> >> To: theme-reviewers@lists.wordpress.org<br>> >> Subject: Re: [theme-reviewers] Why Rigorous Review of Theme Functional<br>> >> Files is Important<br>> >><br>> >> > I have just allowed the <script> tag in the text area. Is the script tag<br>> >> > not acceptable at all? Or should I create a New Field, derivate of<br>> >> > Textfield, and allow <script> in that?<br>> >><br>> >> As Justin pointed out earlier, you should be checking whether the<br>> >> current user can publish unfiltered html, and only then show your<br>> >> custom js fields that allow script tags. Note that an some setups,<br>> >> neither admins nor super admins have the unfiltered_html capability<br>> >> for security reasons.<br>> >><br>> >> Also, in my opinion, Custom CSS and especially Custom JS should not be<br>> >> allowed in themes.<br>> >><br>> >> On Thu, Jan 30, 2014 at 8:14 PM, Chip Bennett <chip@chipbennett.net><br>> >> wrote:<br>> >> > Speaking in general terms, any Theme option must be properly<br>> >> > sanitized/validated on input, and escaped on output, as appropriate.<br>> >> > Specific sanitization/validation/escaping methods depend on the specific<br>> >> > data type.<br>> >> ><br>> >> ><br>> >> > On Thu, Jan 30, 2014 at 11:12 AM, Rohit Tripathi <rohitink@live.com><br>> >> > wrote:<br>> >> >><br>> >> >> I Use options framework for my theme options. I have just allowed the<br>> >> >> <script> tag in the text area. Is the script tag not acceptable at all?<br>> >> >> Or<br>> >> >> should I create a New Field, derivate of Textfield, and allow <script><br>> >> >> in<br>> >> >> that?<br>> >> >><br>> >> >> Regards<br>> >> >><br>> >> >> ________________________________<br>> >> >> Date: Thu, 30 Jan 2014 11:01:22 -0500<br>> >> >><br>> >> >> From: chip@chipbennett.net<br>> >> >> To: theme-reviewers@lists.wordpress.org<br>> >> >> Subject: Re: [theme-reviewers] Why Rigorous Review of Theme Functional<br>> >> >> Files is Important<br>> >> >><br>> >> >> It's example code, to show that an arbitrary script can be executed.<br>> >> >> You<br>> >> >> didn't really expect me to put actually dangerous code there, did you?<br>> >> >> :)<br>> >> >><br>> >> >><br>> >> >> On Thu, Jan 30, 2014 at 10:58 AM, Rohit Tripathi <rohitink@live.com><br>> >> >> wrote:<br>> >> >><br>> >> >> I am not sure, if asking this is lame. But, why is the entering<br>> >> >> alert('text') in the header/footer codes area, being considered as an<br>> >> >> issue?<br>> >> >><br>> >> >> Regards<br>> >> >><br>> >> >> ________________________________<br>> >> >> Date: Thu, 30 Jan 2014 10:40:22 -0500<br>> >> >> From: chip@chipbennett.net<br>> >> >> To: theme-reviewers@lists.wordpress.org<br>> >> >> Subject: Re: [theme-reviewers] Why Rigorous Review of Theme Functional<br>> >> >> Files is Important<br>> >> >><br>> >> >><br>> >> >> In many cases, the issue is the lack of inherent sanitization when<br>> >> >> using<br>> >> >> the Theme Mods API with the Theme Customizer:<br>> >> >><br>> >> >><br>> >> >> http://make.wordpress.org/themes/2014/01/30/using-the-theme-customizer-with-the-theme-mods-api/<br>> >> >><br>> >> >><br>> >> >> On Thu, Jan 30, 2014 at 10:21 AM, Justin Tadlock<br>> >> >> <justin@justintadlock.com> wrote:<br>> >> >><br>> >> >> if ( !current_user_can( 'unfiltered_html' ) ) {<br>> >> >> /* Sanitize. */<br>> >> >> }<br>> >> >><br>> >> >> All theme reviewers should be intimately familiar with this page:<br>> >> >> http://codex.wordpress.org/Data_Validation<br>> >> >><br>> >> >><br>> >> >> On 1/30/2014 7:00 AM, Chip Bennett wrote:<br>> >> >><br>> >> >> Good morning, all,<br>> >> >><br>> >> >> Just as a reminder why it is imperative that our reviews are thorough<br>> >> >> and<br>> >> >> complete, including a review of the Theme code and not merely a<br>> >> >> Theme-Check/front-end review, I woke up this morning to several emails<br>> >> >> reporting various Theme security vulnerabilities. Here's a sampling:<br>> >> >><br>> >> >> To reproduce:<br>> >> >><br>> >> >> 1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php<br>> >> >> 2. Activate the theme, navigate to Theme Options, add an image logo<br>> >> >> 3. In General Options - Logo Text, enter (as is, with quotes): "<br>> >> >> onclick="javascript:alert(1);"<br>> >> >> 4. Visit the homepage, click on the logo, boom.<br>> >> >><br>> >> >> 5. In Slider Options, add a slider image and use the following for the<br>> >> >> slider text: Foo bar <script>alert('baz');</script><br>> >> >> 6. Visit the home page, boom.<br>> >> >><br>> >> >><br>> >> >> To reproduce:<br>> >> >><br>> >> >> 1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php<br>> >> >> 2. Activate the theme, go to Appearance - Theme Settings<br>> >> >> 3. In More Text enter: <script>alert('xss');</script><br>> >> >> 4. Visit the home page.<br>> >> >><br>> >> >> (you will have to have at least one post with a <!--more--> tag<br>> >> >><br>> >> >> To reproduce:<br>> >> >><br>> >> >> 1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php<br>> >> >> 2. Activate the Theme, navigate to Appearance - Theme<br>> >> >> Options - Social Netowrks Configuration<br>> >> >> 3. In Twitter URL enter: http://twitter.com/kovshenin'<br>> >> >> onclick='alert(1);'<br>> >> >> 4. Visit the home page and click the Twitter icon on the top right,<br>> >> >> ouch. Other URL fields affected too.<br>> >> >><br>> >> >> 5. In Layout Settings - Footer enter: <script>alert(123)</script><br>> >> >> 6. Visit the front page, ouch<br>> >> >><br>> >> >> 7. In Advertise Settings, Header Banner Alternative: '<br>> >> >> onclick='alert(1)'<br>> >> >> 8. Visit the front page and click the header banner, ouch<br>> >> >><br>> >> >> 9. In Advertise Settings, Header Banner Link: http://foo.com'<br>> >> >> onclick='alert("bar")<br>> >> >> 10. Visit the front page and click the banner<br>> >> >><br>> >> >> To reproduce:<br>> >> >><br>> >> >> 11. In Theme Options - Integration<br>> >> >> 12. For header code: <script>alert('wow');</script><br>> >> >> 13. Body code: <script>alert('seriously?')</script><br>> >> >> 14. Visit the front page<br>> >> >><br>> >> >> To reproduce:<br>> >> >><br>> >> >> 15. in Theme Options - Colors, go to your browser JS console and<br>> >> >> enter: jQuery('#cwp_templates_topbar_colorid_color').val('blue;"<br>> >> >> onclick="javascript:alert(123);')<br>> >> >> 16. Hit save changes, visit the front page<br>> >> >> 17. The top bar is blue, try and click it. Probably all the color<br>> >> >> fields in this theme are vulnerable to this.<br>> >> >><br>> >> >><br>> >> >> That these issues are appearing is approved/live Themes is exactly the<br>> >> >> reason that it takes so long to get through the approved-Theme queue.<br>> >> >> We<br>> >> >> have to audit for these things, and the audits are turning into<br>> >> >> complete<br>> >> >> re-reviews in several cases.<br>> >> >><br>> >> >> If you are uncomfortable with performing this level of review - first:<br>> >> >> don't worry. We've all been there. But the important thing is to ask<br>> >> >> for<br>> >> >> help. We have a team of 100 people, most/all of whom would be more than<br>> >> >> happy to lend a hand. We've all learned from each other. Post a comment<br>> >> >> in-ticket, or post to the mail-list, and ask for guidance. Especially<br>> >> >> when<br>> >> >> it comes to Theme options, Theme code can get quite complex and often<br>> >> >> difficult to follow. Understanding how the Settings API works sometimes<br>> >> >> seems like it requires a master's degree. And developers all have<br>> >> >> different<br>> >> >> coding styles. It's completely understandable if someone needs a second<br>> >> >> pair<br>> >> >> of eyes when reviewing a given Theme. So please: ask for help if you<br>> >> >> need it<br>> >> >> when reviewing.<br>> >> >><br>> >> >><br>> >> >> _______________________________________________<br>> >> >> theme-reviewers mailing list<br>> >> >> theme-reviewers@lists.wordpress.org<br>> >> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers<br>> >> >><br>> >> >><br>> >> >><br>> >> >> _______________________________________________<br>> >> >> theme-reviewers mailing list<br>> >> >> theme-reviewers@lists.wordpress.org<br>> >> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers<br>> >> >><br>> >> >><br>> >> >><br>> >> >> _______________________________________________ theme-reviewers mailing<br>> >> >> list theme-reviewers@lists.wordpress.org<br>> >> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers<br>> >> >><br>> >> >> _______________________________________________<br>> >> >> theme-reviewers mailing list<br>> >> >> theme-reviewers@lists.wordpress.org<br>> >> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers<br>> >> >><br>> >> >><br>> >> >><br>> >> >> _______________________________________________ theme-reviewers mailing<br>> >> >> list theme-reviewers@lists.wordpress.org<br>> >> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers<br>> >> >><br>> >> >> _______________________________________________<br>> >> >> theme-reviewers mailing list<br>> >> >> theme-reviewers@lists.wordpress.org<br>> >> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers<br>> >> >><br>> >> ><br>> >> ><br>> >> > _______________________________________________<br>> >> > theme-reviewers mailing list<br>> >> > theme-reviewers@lists.wordpress.org<br>> >> > http://lists.wordpress.org/mailman/listinfo/theme-reviewers<br>> >> ><br>> >><br>> >><br>> >><br>> >> --<br>> >> Konstantin<br>> >> _______________________________________________<br>> >> theme-reviewers mailing list<br>> >> theme-reviewers@lists.wordpress.org<br>> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers<br>> ><br>> > _______________________________________________<br>> > theme-reviewers mailing list<br>> > theme-reviewers@lists.wordpress.org<br>> > http://lists.wordpress.org/mailman/listinfo/theme-reviewers<br>> ><br>> <br>> <br>> <br>> -- <br>> Konstantin<br>> _______________________________________________<br>> theme-reviewers mailing list<br>> theme-reviewers@lists.wordpress.org<br>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers<br></div> </div></body>
</html>