Code with Care Write Secure Plugins 
 and Themes Rachel Baker @rachelbaker

Follow Along https://github.com/ rachelbaker/wcstl-demo

In 2011…

I Work Here We are hiring talented designers, 
 project managers, and engineers!

XSS (Cross-Site Scripting) Cross-Site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Source: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

CSRF (Cross-Site Request Forgery) CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/ chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. Source: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

They Look Harmless

Back-end Attack

Front-end Attack

Step 1: Filter Input
 Step 2: Escape Output
 Step 3: Verify Data Source
 
 Step 4: Profit

Filter Input •Distrust data from any source (even yourself). •Understand the context of the data being input. •Validate your expectations, never assume. •Correct any formatting issues that may exist. •Process input filters before saving to the database. How?

Validate Input ensure the data you've requested of the user matches what they've submitted.

Sanitize Input

Location Name Input // sanitize the location name input to only allow a text string ! // and strip HTML tags.! $safe_name = sanitize_text_field( $_POST['_wcstl_name'] );
 update_post_meta( $post_id, '_wcstl_name', $safe_name );!

Location Email Input // filter then sanitize the email address input.! if ( is_email( $_POST['_wcstl_email'] ) ) {! ! $safe_email = sanitize_email( $_POST['_wcstl_email'] );
 ! update_post_meta( $post_id, '_wcstl_email', $safe_email );! }

Location Phone 
 Number Input // correct phone number input to remove any non-numerical characters.! $format_phone_input = preg_replace( "/\D+/","", $_POST['_wcstl_phone'] );! // filter any added numbers from the input.! if ( strlen( $format_phone_input ) > 10 ) {! ! $format_phone_input = substr( $format_phone_input, 0, 10 );! }! // sanitize phone number input.! $safe_phone = sanitize_text_field( $format_phone_input );
 update_post_meta( $post_id, '_wcstl_phone', $safe_phone );!

Location Address Input ! // sanitize the address text input based on $allowed_tags.! ! $safe_address = wp_filter_kses( $_POST['_wcstl_address'] );! ! ! ! update_post_meta( $post_id, '_wcstl_address', $safe_address );!

Location Description Input ! // sanitize the description HTML input based on post content HTML filter.! ! $safe_description = wp_filter_post_kses( $_POST['_wcstl_description'] );! ! ! ! update_post_meta( $post_id, '_wcstl_description', $safe_description );!

Location Map URL ! // filter any html tags then santize the url input.! ! $filter_map_url = wp_strip_all_tags( $_POST['_wcstl_map_url'] );! ! $safe_map_url = esc_url_raw( $filter_map_url );! ! ! ! update_post_meta( $post_id, '_wcstl_map_url', $safe_map_url );!

No content

•Distrust data from any source (even yourself). •Understand the context of the data being displayed. •Correct any formatting issues that may exist. •Encode data before display. How? Escape Output

Decode Encoding From < > ( ) # & "
 
 <script> <
 >
 (
 )
 #
 & "
 
 To

Display Location Name

Name:


 !

Name:

! Washington University in St. Louis!

Display Location Email

Email:


 !

Email:

! stlouis@wor dcamp.org!

Display Location Phone Number

Phone:


 !

Phone:

! 8006380700!

Display Location 
 Address

Address:


 !

One Brookings Drive
! St. Louis, MO 63130

!

Display Location Description

Description:


 ! !

Display Location 
 Map URL

Map:


 !

Map:

! https://www.google.com/maps/place/1+Brookings+Dr/ @38.652088,-90.3077647,16z/data=!4m2!3m1! 1s0x87d8cab20b777057:0xf54f7dc56315b57!

No content

Display Location Meta Boxes Source: https://github.com/rachelbaker/wcstl-demo/blob/ master/wcstl2014-secured.php#L37 function wcstl_display_location_meta_boxes( $post ) {! ! // Get all location meta values for the current post.! ! $name_value! ! = get_post_meta( $post->ID, '_wcstl_name', true );! ! $email_value! ! = get_post_meta( $post->ID, '_wcstl_email', true );! ! $phone_value! ! = get_post_meta( $post->ID, '_wcstl_phone', true );! ! $address_value! ! = get_post_meta( $post->ID, '_wcstl_address', true );! ! $description_value! = get_post_meta( $post->ID, '_wcstl_description', true );! ! $map_url_value! ! = get_post_meta( $post->ID, '_wcstl_map_url', true );! ! ! // encode text to display in rich text editor.! ! $address_value! ! = wp_richedit_pre( $address_value );! ! $description_value! = wp_richedit_pre( $description_value );! ! ! // display hidden nonce field for CSRF protection.! ! wp_nonce_field( 'wcstl_location_save_meta','wcstl_meta_nonce' );! ! ! // output Location Information meta form fields on "Edit Post" screen.! ! $location_meta_fields = '

Location Name (text string only)

! ! !

! ! ! Email Address (valid email address only)

! ! ! ! ! !

Phone Number (10 digit phone number only)

! ! ! ! ! !

Address (Basic HTML Allowed)

! ! ! ' . esc_html( $address_value ) . '! ! !

Description (Advanced HTML allowed)

! ! ! ' . esc_html( $description_value ) . ' textarea>! ! !

Map URL (url only)

! ! ! ';! ! ! echo $location_meta_fields;! }!

Verify Data Source •Create a nonce field or value anytime data will be processed from a form, AJAX request, or URL. •Check the referring source of a processing request. •Confirm the presence and validity of a nonce before processing data from a form, AJAX request, or URL. How?

Create Nonce Field Source: https://github.com/rachelbaker/wcstl-demo/blob/ master/wcstl2014-secured.php#L51 // display hidden nonce field for CSRF protection.! wp_nonce_field( 'wcstl_location_save_meta','wcstl_meta_nonce' );!

Verify Referrer and Nonce Value Source: https://github.com/rachelbaker/wcstl-demo/blob/ master/wcstl2014-secured.php#L84 // return early if nonce doesn't match.! if ( ! check_admin_referer( 'wcstl_location_save_meta', 'wcstl_meta_nonce' ) ) {! ! 
 ! return $post_id;! }!

Unsure of What to Do? Do as WP Core does! https://core.trac.wordpress.org/browser/ tags/3.8.1/src/wp-includes/default- filters.php ! https://core.trac.wordpress.org/browser/ tags/3.8.1/src/wp-includes/ formatting.php
 
 https://core.trac.wordpress.org/browser/ tags/3.8.1/src/wp-includes/kses.php

http://codex.wordpress.org/ Validating_Sanitizing_and_Escaping_User_Data
 
 http://codex.wordpress.org/Data_Validation ! https://codex.wordpress.org/WordPress_Nonces ! http://www.cgisecurity.com/xss-faq.html
 
 https://core.trac.wordpress.org/browser/tags/3.8.1/src/wp- includes/formatting.php#L0
 https://www.owasp.org/index.php/ Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)
 http://ottopress.com/2010/wp-quickie-kses/ 
 https://codex.wordpress.org/Class_Reference/ wpdb#Protect_Queries_Against_SQL_Injection_Attacks Resources

Questions? Go Cubs Rachel Baker @rachelbaker https://github.com/rachelbaker/ wcstl-demo Demo Code Slide Deck https://speakerdeck.com/ rachelbaker/code-with-care-write- secure-themes-and-plugins