[theme-reviewers] Guidance on theme security

Jeremy Clark jeremy at clark-technet.com
Wed Oct 20 19:11:25 UTC 2010

Update_options doesn't sanitize the input it just encodes it properly
for insertion into the database.  Sanitation involves making sure that
options that are meant to be numbers don't have letters, and vice
versa.  Also if storing text that shouldn't contain html that it
doesn't have html tags.  Also making sure that if an option that only
has a set number of valid values doesn't contain anything else.

It's very easy to use firebug or any other web developer
plugin/toolbar to modify a dropdown box with a new item and then
submit the form.  But if all the valid values for that dropdown box
are in an array and the data is checked against it before writing to
the database then that can't happen.

This is a good resource for all the sanitation functions for
wordpress: http://codex.wordpress.org/Data_Validation

On Wed, Oct 20, 2010 at 2:55 PM, Muhammad Khairul Syahir Abdul Hakim
<khairulsyahir at gmail.com> wrote:
> In a nutshell, what are the security measures that should be implemented in
> an options page? All that I can think of right now are nonce and user
> capability check. Do we really need to check for user input? Considering
> that the function update_option already sanitise the inputs before updating
> the database...
> --
> Regards,
> Syahir Hakim
> Contact:
> http://www.khairul-syahir.com
> +64210333649
> On 21/10/2010 5:39 AM, "Gene Robinson" <emhr at submersible.me> wrote:
> There is a definite need for more quality tutorials on security with respect
> to theme development. I am seeing a staggering number of tutorials for
> options pages many of which appear to not account security.
> Look at these results. A plethora of top tens and relevant tutorials vs. 51
> results from a rare combinations of terms.
> http://www.google.com/search?q=wordpress+theme+options+tutorial+-nonce+-check_admin_referer+-current_user_can
> http://www.google.com/search?q=wordpress+theme+options+tutorial+nonce+check_admin_referer+current_user_can
> Even Automattic recently promoted the shared release of an insecure options
> page:
> http://publisherblog.automattic.com/2010/10/01/cheezcap-custom-wp-admin-panels/
> As a community, we appear not to have caught up with the enhancements to
> security in the core. There is much room for improvement in this area.
> -Gene
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.w...
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers

More information about the theme-reviewers mailing list