[theme-reviewers] What/Why Is This in a Footer Copyright Statement?
Andrew Nacin
wp at andrewnacin.com
Thu Nov 4 03:13:15 UTC 2010
On Wed, Nov 3, 2010 at 4:00 PM, Chip Bennett <chip at chipbennett.net> wrote:
> Found this in another Theme:
>
> Copyright <?php echo date('Y') . ' ' . substr($_SERVER['HTTP_HOST'], 4, 100); ?>
>
> I don't know what it's trying to do, other than pull something out of the
> HTTP header...
>
This is unsafe and potentially insecure. All $_SERVER variables must never
be printed without being escaped.
This needs to either have esc_html() applied to it, or preferably replaced
with site_url(), or even better, bloginfo('name'), which is what it's meant
for.
Here's some reading:
http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/
.
Nacin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20101103/4a060141/attachment.htm>
More information about the theme-reviewers
mailing list