[wp-trac] [WordPress Trac] #21622: Validate or sandbox theme file edits before saving them (as is done for plugins)
WordPress Trac
noreply at wordpress.org
Tue Oct 3 11:30:17 UTC 2017
#21622: Validate or sandbox theme file edits before saving them (as is done for
plugins)
-------------------------------------+-----------------------------
Reporter: eschwartz93 | Owner: westonruter
Type: enhancement | Status: accepted
Priority: high | Milestone: 4.9
Component: Themes | Version: 2.7.1
Severity: normal | Resolution:
Keywords: has-patch needs-testing | Focuses: administration
-------------------------------------+-----------------------------
Comment (by johnbillion):
This looks really good. A few points from me:
* The full file path shouldn't be exposed in the error message. It should
show the path relative to ABSPATH, for example: `str_replace( ABSPATH, '',
$error_output )`.
* Every call to `opcache_invalidate()` needs a `function_exists()` check
because it's PHP >= 5.5 only.
* It looks like the error notice is displayed as HTML instead of plain
text, which is not ideal for security hardening purposes. The error
message should be run through `wp_strip_all_tags()` and displayed as text
instead of HTML.
* Use `wp_json_encode()` instead of `json_encode()` in
`wp_finalize_scraping_edited_file_errors()`.
* Unrelated change in `src/wp-includes/js/wp-a11y.js`.
* Should `wp_start_scraping_edited_file_errors()` return instead of dieing
if the nonce is invalid?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21622#comment:26>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list