[theme-reviewers] Guidance on theme security

Andrew Nacin wp at andrewnacin.com
Wed Oct 20 14:08:51 UTC 2010

On Wed, Oct 20, 2010 at 9:28 AM, Gene Robinson <emhr at submersible.me> wrote:

> @Nacin -  When you review Simply Works Core 1.3.3<http://themes.trac.wordpress.org/ticket/1596> ,
> I'd appreciate your going-over my <http://themes.trac.wordpress.org/ticket/1566>previous
> review's suggestions <http://themes.trac.wordpress.org/ticket/1566>.

I've posted my comments to http://themes.trac.wordpress.org/ticket/1596.
Better than plenty of other things I've seen, but there's room for

So... The stuff in Thematic -- which I'm just seeing now, after I left the
comment, so I didn't realize how much came from that -- it made me cringe.
Should receive a security audit at some point.

On the other hand, Ian's tutorial you linked to looks better than I'm seeing
in that theme. Also, I'd like to think that the Settings API should always
always be emphasized, with links to the tutorials by Ozh and Otto, over
doing it by hand. Especially when the person just copy-pasted from elsewhere
with probably limited understanding of what it all did.

Security has to do with basic fundamentals: Watch out for user input, watch
out for attributes, watch out for building SQL, watch out for authentication
and intention, etc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20101020/64437713/attachment.htm>

More information about the theme-reviewers mailing list