[theme-reviewers] What/Why Is This in a Footer Copyright Statement?

Andrew Nacin wp at andrewnacin.com
Thu Nov 4 03:13:15 UTC 2010

On Wed, Nov 3, 2010 at 4:00 PM, Chip Bennett <chip at chipbennett.net> wrote:

> Found this in another Theme:
> Copyright <?php echo date('Y') . ' ' . substr($_SERVER['HTTP_HOST'], 4, 100); ?>
> I don't know what it's trying to do, other than pull something out of the
> HTTP header...

This is unsafe and potentially insecure. All $_SERVER variables must never
be printed without being escaped.

This needs to either have esc_html() applied to it, or preferably replaced
with site_url(), or even better, bloginfo('name'), which is what it's meant

Here's some reading:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20101103/4a060141/attachment.htm>

More information about the theme-reviewers mailing list