[wp-hackers] the template tags and their default safe contexts

Nikola Nikolov nikolov.tmw at gmail.com
Mon Feb 17 18:17:08 UTC 2014


I guess that would be a good place to start. With suggestions what to use
in the context where it's not safe.


On Mon, Feb 17, 2014 at 5:08 PM, Haluk Karamete <halukkaramete at gmail.com>wrote:

> Nikola, thank you for your reply.
> I think, it would be necessary to create a matrix.  and keep it handy...
> sort of like...
>
> the template tag   safe-in-HTML     safe-in-JS   safe-in-Attr
> safe-in-Textarea        safe-in-HREF     etc...
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------
> the_title()             TRUE                FALSE      FALSE         FALSE
>                    FALSE
>
>
>
>
> On Sun, Feb 16, 2014 at 12:24 PM, Nikola Nikolov <nikolov.tmw at gmail.com
> >wrote:
>
> > Hi Haluk,
> >
> > I see your point there and I guess that it's a matter of experience and
> > being aware of things.
> > Like being aware, that using the_title() is not safe to use within HTML
> > attribute values. And to know that you should instead use esc_attr(
> > get_the_title() ) - note the use of get_the_title() - using just
> > the_title() won't work, since it will output it and not return it :)
> >
> > If you are aware of the escaping functions and in which cases they should
> > be used, then that should give you a pretty good start. For instance if
> you
> > want to escape text that will go in a textarea, you use esc_textarea().
> >
> > The best thing to do in my opinion when writing a theme or a plugin
> > template is to use the correct escaping methods. This way I think that
> > there are higher chances for the user to keep the escaping functions in
> > place even if they tweak something on the template.
> >
> >
> > On Sun, Feb 16, 2014 at 9:49 PM, Haluk Karamete <halukkaramete at gmail.com
> > >wrote:
> >
> > > Right off the bat, I'd like to express that this post of mine is not a
> > > criticism of the current system, whatsoever. I know security is a
> complex
> > > matter.
> > > I'm only trying to get the hang of the issue I will be trying to point
> > out
> > > below to pick your brains for ideas. That's all there is to it.
> > >
> > > Having said that...  here we go.
> > >
> > > To make my point, I will just pick the template tag the_title().
> > >
> > > The the_title() outputs the title.
> > >
> > > And it's very easy to learn this fact, thanks to the codex and the
> > > countless articles that are out there.
> > >
> > > Since it's a WordPress core function, it's also pretty human to think
> > that
> > > it should be safe to use it is as is. At least, I would not blame the
> > many
> > > who think so, from the get-go.
> > >
> > > But the fact of the matter is HTML is a complex thing. And dealing with
> > XSS
> > > or simply writing valid HTML is even more complex. And most people can
> > > easily get lost in this.
> > >
> > > Take a look a this piece for instance...
> > >
> > > It uses the_title() in a straightforward HTML.
> > >
> > > <a href="#" title="<?php the_title(); ?>"><?php the_title(); ?></a>
> > >
> > > The question is - Is it safe?
> > >
> > > Obviously not...
> > >
> > > Well, it is %50 secure. :)
> > >
> > > The part within the HTML context ( which will eventually be falling in
> > > between > and < ) is fine but the attribute part ( which will be
> falling
> > > into title=" and " ) is not.
> > >
> > > The the_title() call within the title attribute above is like a
> military
> > > mines which is waiting to detonate for the wrong title.
> > >
> > > Considering so many different contexts, and some many template_tags and
> > so
> > > many esc_ functions, and millions of people out there, what do we do?
> or
> > > should do?
> > >
> > > And what do you guys do to sort this kind of matters when writing your
> > own
> > > template files that outputs stuff? What handle or conventions do you
> use?
> > >
> > > obviously, we do not have
> > > the_title_js()
> > > the_title_attr() and
> > > the_title_html() versions for each and every template tag - which would
> > > follow the esc_API context conventions in a one to one fashion ) as
> Mark
> > > demonstrates here->
> > > http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
> > >
> > > I do know the fact that here, we have "the_title_attribute()" available
> > to
> > > us, but hey, you just have to know that.
> > >
> > > What if, I needed to use the the_title() within a javascript context as
> > > below. Which way do I go about it - and how do I know  which one would
> be
> > > allright?
> > > Stackoverflow it?
> > >
> > > <Script>
> > > $the_title = '<?php the_title();?>';
> > > $the_title = '<?php esc_js(the_title());?>';
> > > $the_title = '<?php the_title_attribute();?>';
> > > $the_title = '<?php esc_js(the_title_attribute());?>';
> > > </script>
> > >
> > > Is the only way to sort this out to know each-and-every-template_tag
> and
> > > their safe output contexts? Or are there tips or conventions you guys
> use
> > > to sort these things in a convenient way?
> > >
> > > I'm just curious.
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list