Just had a thought. What filters should we be sending user inputed text through for security reasons? Just thinking of those widgets I've been hacking together.
thanks,
-drmike
Widget security (9 posts)
-
-
i'd be interested in that too. Typically, I recently discovered the text widget plugin allows for html code. Is that code sanitized ?
-
I opened up the widgets.php file and found this under the text widget:
$newoptions[$number]['title'] = strip_tags(stripslashes($_POST["text-title-$number"]));
$newoptions[$number]['text'] = stripslashes($_POST["text-text-$number"]);
if ( !current_user_can('unfiltered_html') )
$newoptions[$number]['text'] = stripslashes(wp_filter_post_kses($newoptions[$number]['text']));
}
if ( $options != $newoptions ) {
$options = $newoptions;
update_option('widget_text', $options);
}
$title = htmlspecialchars($options[$number]['title'], ENT_QUOTES);
$text = htmlspecialchars($options[$number]['text'], ENT_QUOTES);I need to find out where the function 'wp_filter_post_kses' is as this is probbaly what we need to be doing.
Donncha, if you read this, I would love to have an answer.
-
i know it strips out the php.
-
javascripts as well.
We just have to find out where within the code.
-
If you pass it through wp_specialchars() then the Javascript will be nullified. Instead of executing, the code will appear because < will become <
Kses functions are in wp-includes/kses.php but I usually prefer to translate the html characters into something harmless. -
But if you do that, then you would mess up the <> marks in something like a image link set inside the body of a text widget?
I really need to sit down with post.php and walk my way though that.
-
Take a look at wp-includes/default-filters.php:
add_filter('the_content', 'wptexturize');
wptexturize() could be what you want!
-
thanks
I just had a thought about looking at how comments are processed. That's probably where the most risk is being generated since not even site owners know what's going to be in there.
