The MU forums have moved to WordPress.org

Widget security (9 posts)

  1. drmike
    Member
    Posted 16 years ago #

    Just had a thought. What filters should we be sending user inputed text through for security reasons? Just thinking of those widgets I've been hacking together.

    thanks,
    -drmike

  2. quenting
    Member
    Posted 16 years ago #

    i'd be interested in that too. Typically, I recently discovered the text widget plugin allows for html code. Is that code sanitized ?

  3. drmike
    Member
    Posted 16 years ago #

    I opened up the widgets.php file and found this under the text widget:

    $newoptions[$number]['title'] = strip_tags(stripslashes($_POST["text-title-$number"]));
    $newoptions[$number]['text'] = stripslashes($_POST["text-text-$number"]);
    if ( !current_user_can('unfiltered_html') )
    $newoptions[$number]['text'] = stripslashes(wp_filter_post_kses($newoptions[$number]['text']));
    }
    if ( $options != $newoptions ) {
    $options = $newoptions;
    update_option('widget_text', $options);
    }
    $title = htmlspecialchars($options[$number]['title'], ENT_QUOTES);
    $text = htmlspecialchars($options[$number]['text'], ENT_QUOTES);

    I need to find out where the function 'wp_filter_post_kses' is as this is probbaly what we need to be doing.

    Donncha, if you read this, I would love to have an answer.

  4. andrea_r
    Moderator
    Posted 16 years ago #

    i know it strips out the php.

  5. drmike
    Member
    Posted 16 years ago #

    javascripts as well.

    We just have to find out where within the code.

  6. donncha
    Key Master
    Posted 16 years ago #

    If you pass it through wp_specialchars() then the Javascript will be nullified. Instead of executing, the code will appear because < will become &lt;
    Kses functions are in wp-includes/kses.php but I usually prefer to translate the html characters into something harmless.

  7. drmike
    Member
    Posted 16 years ago #

    But if you do that, then you would mess up the <> marks in something like a image link set inside the body of a text widget?

    I really need to sit down with post.php and walk my way though that.

  8. donncha
    Key Master
    Posted 16 years ago #

    Take a look at wp-includes/default-filters.php:

    add_filter('the_content', 'wptexturize');

    wptexturize() could be what you want!

  9. drmike
    Member
    Posted 16 years ago #

    thanks

    I just had a thought about looking at how comments are processed. That's probably where the most risk is being generated since not even site owners know what's going to be in there.

About this Topic