[theme-reviewers] Guidance on theme security
Muhammad Khairul Syahir Abdul Hakim
khairulsyahir at gmail.com
Wed Oct 20 18:55:39 UTC 2010
In a nutshell, what are the security measures that should be implemented in
an options page? All that I can think of right now are nonce and user
capability check. Do we really need to check for user input? Considering
that the function update_option already sanitise the inputs before updating
the database...
--
Regards,
Syahir Hakim
Contact:
http://www.khairul-syahir.com
+64210333649
On 21/10/2010 5:39 AM, "Gene Robinson" <emhr at submersible.me> wrote:
There is a definite need for more quality tutorials on security with respect
to theme development. I am seeing a staggering number of tutorials for
options pages many of which appear to not account security.
Look at these results. A plethora of top tens and relevant tutorials vs. 51
results from a rare combinations of terms.
http://www.google.com/search?q=wordpress+theme+options+tutorial+-nonce+-check_admin_referer+-current_user_can
http://www.google.com/search?q=wordpress+theme+options+tutorial+nonce+check_admin_referer+current_user_can
Even Automattic recently promoted the shared release of an insecure options
page:
http://publisherblog.automattic.com/2010/10/01/cheezcap-custom-wp-admin-panels/
As a community, we appear not to have caught up with the enhancements to
security in the core. There is much room for improvement in this area.
-Gene
_______________________________________________
theme-reviewers mailing list
theme-reviewers at lists.w...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20101021/baf3f18a/attachment-0001.htm>
More information about the theme-reviewers
mailing list