[wp-hackers] the template tags and their default safe contexts

Nikola Nikolov nikolov.tmw at gmail.com
Sun Feb 16 20:24:57 UTC 2014


Hi Haluk,

I see your point there and I guess that it's a matter of experience and
being aware of things.
Like being aware, that using the_title() is not safe to use within HTML
attribute values. And to know that you should instead use esc_attr(
get_the_title() ) - note the use of get_the_title() - using just
the_title() won't work, since it will output it and not return it :)

If you are aware of the escaping functions and in which cases they should
be used, then that should give you a pretty good start. For instance if you
want to escape text that will go in a textarea, you use esc_textarea().

The best thing to do in my opinion when writing a theme or a plugin
template is to use the correct escaping methods. This way I think that
there are higher chances for the user to keep the escaping functions in
place even if they tweak something on the template.


On Sun, Feb 16, 2014 at 9:49 PM, Haluk Karamete <halukkaramete at gmail.com>wrote:

> Right off the bat, I'd like to express that this post of mine is not a
> criticism of the current system, whatsoever. I know security is a complex
> matter.
> I'm only trying to get the hang of the issue I will be trying to point out
> below to pick your brains for ideas. That's all there is to it.
>
> Having said that...  here we go.
>
> To make my point, I will just pick the template tag the_title().
>
> The the_title() outputs the title.
>
> And it's very easy to learn this fact, thanks to the codex and the
> countless articles that are out there.
>
> Since it's a WordPress core function, it's also pretty human to think that
> it should be safe to use it is as is. At least, I would not blame the many
> who think so, from the get-go.
>
> But the fact of the matter is HTML is a complex thing. And dealing with XSS
> or simply writing valid HTML is even more complex. And most people can
> easily get lost in this.
>
> Take a look a this piece for instance...
>
> It uses the_title() in a straightforward HTML.
>
> <a href="#" title="<?php the_title(); ?>"><?php the_title(); ?></a>
>
> The question is - Is it safe?
>
> Obviously not...
>
> Well, it is %50 secure. :)
>
> The part within the HTML context ( which will eventually be falling in
> between > and < ) is fine but the attribute part ( which will be falling
> into title=" and " ) is not.
>
> The the_title() call within the title attribute above is like a military
> mines which is waiting to detonate for the wrong title.
>
> Considering so many different contexts, and some many template_tags and so
> many esc_ functions, and millions of people out there, what do we do? or
> should do?
>
> And what do you guys do to sort this kind of matters when writing your own
> template files that outputs stuff? What handle or conventions do you use?
>
> obviously, we do not have
> the_title_js()
> the_title_attr() and
> the_title_html() versions for each and every template tag - which would
> follow the esc_API context conventions in a one to one fashion ) as Mark
> demonstrates here->
> http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
>
> I do know the fact that here, we have "the_title_attribute()" available to
> us, but hey, you just have to know that.
>
> What if, I needed to use the the_title() within a javascript context as
> below. Which way do I go about it - and how do I know  which one would be
> allright?
> Stackoverflow it?
>
> <Script>
> $the_title = '<?php the_title();?>';
> $the_title = '<?php esc_js(the_title());?>';
> $the_title = '<?php the_title_attribute();?>';
> $the_title = '<?php esc_js(the_title_attribute());?>';
> </script>
>
> Is the only way to sort this out to know each-and-every-template_tag and
> their safe output contexts? Or are there tips or conventions you guys use
> to sort these things in a convenient way?
>
> I'm just curious.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list