[theme-reviewers] Emergency Call

Austin Matzko austin at pressedcode.com
Fri Sep 3 14:53:50 UTC 2010

On Fri, Sep 3, 2010 at 9:39 AM, Chip Bennett <chip at chipbennett.net> wrote:
> Is fancy background image processing useful enough to warrant not
> implementing a universal prohibition of such dangerous PHP commands?
> (I'd say that I lean toward "no"; but I'm not one to use such "fancy"
> processing and the like in a Theme.)

There are too many potentially dangerous PHP functions to prohibit all
of them.  A better, general solution is just to flag or score
potentially problematic themes rather than rejecting the theme
outright from keywords--instead, do what spam filters do.  After all,
even base64_decode has legit uses (HTTP authentication, for example).

A clever and malicious theme dev could use WP's built-in filesystem
API and avoid getting flagged from calling the PHP functions directly,

More information about the theme-reviewers mailing list