[theme-reviewers] Settings API and User-Defined Javascript

Chip Bennett chip at chipbennett.net
Fri Feb 17 03:42:30 UTC 2012


The Settings API doesn't currently do *any* sanitization/validation on its
own; it simply provides a callback in which the Theme developer can define
the sanitization/validation functinos.

So, you need to make sure that the callback defined in register_setting()
properly sanitizes the javascript passed into it, and that the Theme
properly escapes the javascript on output in the template.

Chip

On Thu, Feb 16, 2012 at 8:50 PM, Vicky Arulsingam <
vicky.arulsingam at gmail.com> wrote:

> The theme I'm reviewing:  http://themes.trac.wordpress.org/ticket/6565
> has theme options that allows the user to define their own javascript code.
> By virtue of using Settings API, is a theme protected against XSS
> vulnerabilities?
> Are there any functions that can be use to sanitize javascript?
>
> -----
> Vicky Arulsingam
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20120216/48df5a60/attachment.htm>


More information about the theme-reviewers mailing list