[theme-reviewers] Why Rigorous Review of Theme Functional Files is Important

Chip Bennett chip at chipbennett.net
Thu Jan 30 13:00:45 UTC 2014

Good morning, all,

Just as a reminder why it is imperative that our reviews are thorough and
complete, including a review of the Theme code and not merely a
Theme-Check/front-end review, I woke up this morning to several emails
reporting various Theme security vulnerabilities. Here's a sampling:

To reproduce:

1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php
2. Activate the theme, navigate to Theme Options, add an image logo
3. In General Options - Logo Text, enter (as is, with quotes): "
4. Visit the homepage, click on the logo, boom.

5. In Slider Options, add a slider image and use the following for the
slider text: Foo bar <script>alert('baz');</script>
6. Visit the home page, boom.

To reproduce:

1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php
2. Activate the theme, go to Appearance - Theme Settings
3. In More Text enter: <script>alert('xss');</script>
4. Visit the home page.

(you will have to have at least one post with a <!--more--> tag

To reproduce:

1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php
2. Activate the Theme, navigate to Appearance - Theme
Options - Social Netowrks Configuration
3. In Twitter URL enter: http://twitter.com/kovshenin' onclick='alert(1);'
4. Visit the home page and click the Twitter icon on the top right,
ouch. Other URL fields affected too.

5. In Layout Settings - Footer enter: <script>alert(123)</script>
6. Visit the front page, ouch

7. In Advertise Settings, Header Banner Alternative: ' onclick='alert(1)'
8. Visit the front page and click the header banner, ouch

9. In Advertise Settings, Header Banner Link: http://foo.com'
10. Visit the front page and click the banner

To reproduce:

11. In Theme Options - Integration
12. For header code: <script>alert('wow');</script>
13. Body code: <script>alert('seriously?')</script>
14. Visit the front page

To reproduce:

15. in Theme Options - Colors, go to your browser JS console and
enter: jQuery('#cwp_templates_topbar_colorid_color').val('blue;"
16. Hit save changes, visit the front page
17. The top bar is blue, try and click it. Probably all the color
fields in this theme are vulnerable to this.

That these issues are appearing is approved/live Themes is exactly the
reason that it takes so long to get through the approved-Theme queue. We
have to audit for these things, and the audits are turning into complete
re-reviews in several cases.

If you are uncomfortable with performing this level of review - first:
don't worry. We've all been there. *But the important thing is to ask for
help.* We have a team of 100 people, most/all of whom would be more than
happy to lend a hand. We've all learned from each other. Post a comment
in-ticket, or post to the mail-list, and ask for guidance. Especially when
it comes to Theme options, Theme code can get quite complex and often
difficult to follow. Understanding how the Settings API works sometimes
seems like it requires a master's degree. And developers all have different
coding styles. It's completely understandable if someone needs a second
pair of eyes when reviewing a given Theme. So please: ask for help if you
need it when reviewing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140130/2d9aa05a/attachment.html>

More information about the theme-reviewers mailing list