[theme-reviewers] Formatting functions and parsing

Thu Aug 11 13:15:55 UTC 2011

The $truncate example you give, IMHO, should be replaced entirely with
get_the_excerpt(). It appears to be purely a reinvention of the post-excerpt
wheel.

I assume you're going to point out all the issues with the Theme's options
implementation (the first thing that jumps out is that the Theme is not
using a single array to store its options)?

I don't think that stripslashes() is sufficient here:

<?php echo stripslashes( get_option('tt_google_analytics') ); ?>

This should be an esc_js() or esc_html() or whatever, as appropriate for the
data being output.

A data validation/sanitization/escaping blog post is on my to-do list. I
just haven't had the time yet. I would *strongly* recommend this
presentation by Mark Jaquith:
http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/

(Any blog post I write will be consistent with what Mark presents - and
IMHO, if Mark Jaquith presents it as recommended practice, then I would take
that recommendation as a best practice.)

Chip

On Thu, Aug 11, 2011 at 8:06 AM, Mario Peshev <mario at peshev.net> wrote:

> Hi Chip,
>
> The most common example is using stripslashes (sample here
> http://themes.svn.wordpress.org/ttblog/1.0.2/header.php), also, the
> functions.php of the same theme uses:
>
> $truncate = preg_replace('@<script[^>]*?>.*?</script>@si', '', $truncate);
>
> I think this could also be handled (or maybe not), there are trim,
> htmlentities and similar functions used in themes. I am interested in
> functions such as wp_kses -
> http://codex.wordpress.org/Function_Reference/wp_kses - as they seem
> multifunctional to me. I was wondering if any of you has posted the
> 'formatting and security best practices and top functions' or something like
> this compared to plain PHP solutions.
>
> Thanks in advance. :)
>
> Mario Peshev
> freelance software developer/trainer
> http://www.linkedin.com/in/mpeshev
> http://peshev.net/blog
>
>
>
> On Thu, Aug 11, 2011 at 3:57 PM, Chip Bennett <chip at chipbennett.net>wrote:
>
>> Mario,
>>
>> The only "dummy" question is the one that remains unasked. :)
>>
>> Can you provide a more specific example? Perhaps a ticket or something,
>> that uses the function(s) in question?
>>
>> In general, though, IMHO, it is *always* preferable to use a core WP
>> function for content filtering and/or untrusted data
>> sanitization/validation.
>>
>> Chip
>>
>>  On Thu, Aug 11, 2011 at 7:53 AM, Mario Peshev <mario at peshev.net> wrote:
>>
>>>  Hello Reviewers,
>>>
>>> I'm not that well acquainted with security in PHP and WP so it might be a
>>> bit dummy question, but I have tough time following the parsing and
>>> formatting practices in WP themes. Since there is a Formatting section in WP
>>> function list -
>>> http://codex.wordpress.org/Function_Reference#Formatting_Functions , and
>>> some of the functions seem pretty similar to the same function names in PHP,
>>> what is the rule and is it required for the WP functions to be used instead,
>>> are they always better than plain PHPs?
>>>
>>> Mario Peshev
>>> freelance software developer/trainer
>>> http://www.linkedin.com/in/mpeshev
>>> http://peshev.net/blog
>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20110811/9d40391b/attachment-0001.htm>