Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Escape From New York

Tom J Nowell
November 01, 2015
Technology
0
610

Escape From New York

A talk on escaping and security in WordPress and PHP

Tom J Nowell

November 01, 2015
Tweet

More Decks by Tom J Nowell

See All by Tom J Nowell
Using Blocks Outside The Editor
tarendai
0
710
Composer_and_WordPress__1_.pdf
tarendai
0
61
REST APIs for Absolute Beginners
tarendai
0
760
VVV 2
tarendai
0
530
WordCamp Europe 2016 - Handling Anxiety
tarendai
1
330
WP The Right Way
tarendai
0
940
Code Deodorant 2014
tarendai
1
610
Adv WP CLI
tarendai
0
580
WP CLI
tarendai
0
470

Other Decks in Technology

See All in Technology
Hands-on / Kaname Frusawa / Cloud Compare Users Meetup 2024 at University of Tokyo on April 17
paraworld
2
470
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
0
170
Postman v10リリース後を振り返る
nagix
0
120
"好き"との生活/Regularly update profile with GitHub Actions
judeeeee
0
150
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
490
「共通基盤」を超えよ! 今、Platform Engineeringに取り組むべき理由
jacopen
25
5.7k
スタートアップの技術顧問を3年間続けて発生した事と気付き
biwakonbu
0
150
株式会社EventHub・エンジニア採用資料
eventhub
0
1.9k
**強い**エンジニアのなり方 - フィードバックサイクルを勝ち取る / grow one day each day
soudai
60
17k
SREとその組織類型
tatsuo48
8
1.5k
自動生成を活用した、運用保守コストを抑える Error/Alert/Runbook の一元集約管理 / Centralized management of Error/Alert/Runbook to minimize operational costs using automated code generation
biwashi
9
2.1k
Tebiki株式会社 エンジニア採用資料
tebiki
0
4.1k

Featured

See All Featured
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Code Review Best Practice
trishagee
54
15k
The Invisible Side of Design
smashingmag
293
49k
Stop Working from a Prison Cell
hatefulcrawdad
265
19k
Documentation Writing (for coders)
carmenintech
59
3.9k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2.3k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
272
13k
Automating Front-end Workflow
addyosmani
1354
200k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Mobile First: as difficult as doing things right
swwweet
216
8.6k

Transcript

  1. Escape From New York Tom J Nowell

  2. Validation Sanitisation Escaping

  3. Validation: Is this what it claims to be?

  4. Sanitisation: Lets clean up this input

  5. Escaping: Making output safe

  6. WordPress.com VIP VIP Wrangler - @tarendai

  7. '; DROP TABLE votes'

  8. Search Results For: <?php echo $_GET[‘s’]; ?>

  9. Search Results For: <?php echo $_GET [‘s’]; ?>

  10. <b>Test</b>

  11. <b>Test</b>

  12. <script>alert(“hey”);</script>

  13. Search Results For: <?php echo esc_html( $_GET[‘s’] ); ?>

  14. Search Results For: <?php echo esc_html( $_GET[‘s’] ); ?>

  15. How to Escape

  16. Sanitize early Escape Late Escape Often

  17. No Data is Safe

  18. <script src='//peniscorp.com/topkek.js'> </script>

  19. Escape Everything..?

  20. echo $var; echo esc_html( $var );

  21. class=”<?php echo $css; ?>” class=”<?php echo esc_attr( $css ); ?>”

  22. href=”<?php echo $url; ?>” href=”<?php echo esc_url( $url ); ?>”

  23. wp_kses & wp_kses_post

  24. echo apply_filters( ‘the_content’ wp_kses_post( $content ) );

  25. tomjn.com/escaping

  26. WordPress.com VIP VIP Wrangler - @tarendai

  27. automattic.com/work-with-us/vip-wrangler/

  28. Questions? Tom J Nowell - WordPress.com VIP @tarendai - tomjn.com