[wp-hackers] Process and technology questionnaire

Florian Thiel flo.thiel+wphackers at googlemail.com
Tue Mar 31 12:07:37 GMT 2009

Hello again, WordPress hackers,

I'm still in the process of writing my diploma thesis on the prevention of
web application security vulnerabilities and I'd like to know a bit
about the processes of your fine project, which is not obvious from
looking at the web page.

I now that these questions may not be of concern for all developers,
but I don't just want an answer from the project lead.

It would be great if you could take a couple
of minutes and think about the questions below. The questions are
mostly open-ended. Elaborate and skip questions at will. I'd like to
get answers the community at large can live with, not single opinions.
If vastly differing
opinions turn up on certain topics, I'd like to follow up on these.

Thank you very much in advance. I will provide you with a link to the
results of my thesis when it's done.


The questions:

About technical aspects:
- Are you using a web application framework? Which one?
- Do you use explicit data modeling for all business objects in the
- Do you have a specific layers for input/output validation/filtering?
  (If applicable) What does the input/output layer do (respectively)?
  How? Are you using external libraries? Why? Why not? (for HTML
  sanitation. object-relational mappers, database abstractions with
  prepared statements)?
- (If applicable) What responsibilities do the input/output layers
  have, respectively?
- How do you ensure that all input passed through validation/
  filtering? Do you have an API that must be used?
- Do you provide services to independently developed modules/
  components? Is there a defined API?
- Which other external libraries do you use?

About the development process:
- Is there public documentation about the responsibilities of the
  input/output layers?
- Is there public documentation about *when* input/output validation/
  filtering should happen? (Like: "output filtering must always happen
  in the method that renders the data")
- Do you have automatic tests for the whole system?

Bonus question:
- Do you do manual code review?

More information about the wp-hackers mailing list