[theme-reviewers] Alternative to eval()

Edward Caissie edward.caissie at gmail.com
Fri Jul 1 21:33:44 UTC 2011


On Fri, Jul 1, 2011 at 2:23 AM, Andrew Nacin <wp at andrewnacin.com> wrote:

> Incredibly late reply on this, but I'd rather create_function() be banned
> from themes. Arbitrary PHP is insecure -- especially user-inputted PHP --
> and, keep in mind, it would make the theme insecure for multisite.
> create_function() is just as dangerous as eval() or assert() or any other
> arbitrary execution device, whether used incorrectly or maliciously.
>

Are there any other specific functions we should be looking at noting
specifically with the "Theme Check"/"uploader" script ... and eyes-on as
well? We can always add a list of functions that should not be used in
themes to the Guidelines.


Cais.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20110701/b4486167/attachment.htm>


More information about the theme-reviewers mailing list