Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Escape From New York
Search
Tom J Nowell
November 01, 2015
Technology
0
710
Escape From New York
A talk on escaping and security in WordPress and PHP
Tom J Nowell
November 01, 2015
Tweet
Share
More Decks by Tom J Nowell
See All by Tom J Nowell
Using Blocks Outside The Editor
tarendai
0
960
Composer_and_WordPress__1_.pdf
tarendai
0
76
REST APIs for Absolute Beginners
tarendai
0
970
VVV 2
tarendai
0
760
WordCamp Europe 2016 - Handling Anxiety
tarendai
1
470
WP The Right Way
tarendai
0
1k
Code Deodorant 2014
tarendai
1
710
Adv WP CLI
tarendai
0
690
WP CLI
tarendai
0
650
Other Decks in Technology
See All in Technology
Goss: Faiss向けの新しい本番環境対応 Goバインディング #coefl_go_jp
bengo4com
1
1.4k
見てわかるテスト駆動開発
recruitengineers
PRO
6
2.2k
TypeScript入門
recruitengineers
PRO
33
11k
知られざるprops命名の慣習 アクション編
uhyo
11
2.8k
Understanding Go GC #coefl_go_jp
bengo4com
1
1.1k
DeNA での思い出 / Memories at DeNA
orgachem
PRO
6
1.9k
AWSで推進するデータマネジメント
kawanago
0
520
JavaScript 研修
recruitengineers
PRO
6
1.3k
実践アプリケーション設計 ③ドメイン駆動設計
recruitengineers
PRO
13
3.8k
Figma + Storybook + PlaywrightのMCPを使ったフロントエンド開発
yug1224
10
3.4k
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
30k
実践AIガバナンス
asei
3
250
Featured
See All Featured
The Cult of Friendly URLs
andyhume
79
6.6k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
131
19k
Become a Pro
speakerdeck
PRO
29
5.5k
Side Projects
sachag
455
43k
What's in a price? How to price your products and services
michaelherold
246
12k
Building Applications with DynamoDB
mza
96
6.6k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.6k
KATA
mclloyd
32
14k
The Power of CSS Pseudo Elements
geoffreycrofte
77
5.9k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.4k
The World Runs on Bad Software
bkeepers
PRO
70
11k
Transcript
Escape From New York Tom J Nowell
Validation Sanitisation Escaping
Validation: Is this what it claims to be?
Sanitisation: Lets clean up this input
Escaping: Making output safe
WordPress.com VIP VIP Wrangler - @tarendai
'; DROP TABLE votes'
Search Results For: <?php echo $_GET[‘s’]; ?>
Search Results For: <?php echo $_GET [‘s’]; ?>
<b>Test</b>
<b>Test</b>
<script>alert(“hey”);</script>
Search Results For: <?php echo esc_html( $_GET[‘s’] ); ?>
Search Results For: <?php echo esc_html( $_GET[‘s’] ); ?>
How to Escape
Sanitize early Escape Late Escape Often
No Data is Safe
<script src='//peniscorp.com/topkek.js'> </script>
Escape Everything..?
echo $var; echo esc_html( $var );
class=”<?php echo $css; ?>” class=”<?php echo esc_attr( $css ); ?>”
href=”<?php echo $url; ?>” href=”<?php echo esc_url( $url ); ?>”
wp_kses & wp_kses_post
echo apply_filters( ‘the_content’ wp_kses_post( $content ) );
tomjn.com/escaping
WordPress.com VIP VIP Wrangler - @tarendai
automattic.com/work-with-us/vip-wrangler/
Questions? Tom J Nowell - WordPress.com VIP @tarendai - tomjn.com