[theme-reviewers] Why themes should not use fopen?

Otto otto at ottodestruct.com
Thu May 19 15:17:14 UTC 2011

On Thu, May 19, 2011 at 9:15 AM, Satish Gandham <satish.iitg at gmail.com> wrote:
> Web user can upload files to wordpress uploads directory, is it not possible
> to treat the CSS file as the other files uploaded to uploads directory?
> How about making the CSS file writable without execute permissions?
> If images and other media can be in uploads directory, then there should be
> a way for  CSS and JS to be present there without creating problems, because
> these are static files just like the images?

Images are images, they're not executable code. In the context of your
website, Javascript is executable code. CSS can contain HTML modifying

If you give me the ability to write javascript into your site's code,
then it's basically game over. I can own your site.

> If there is a way to write the files as ADMIN, without write permissions to
> webuser, is method one still the best?

Yes. Method one is always the best, because it's almost always faster,
it's way simpler to do, and it doesn't incur the performance penalty
that you get with writing and reading extra files.

Dynamic data should always come from the database. A file on disk is
not a database.


More information about the theme-reviewers mailing list