Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Escape From New York

Tom J Nowell
November 01, 2015
Technology
0
550

Escape From New York

A talk on escaping and security in WordPress and PHP

Tom J Nowell

November 01, 2015
Tweet

More Decks by Tom J Nowell

See All by Tom J Nowell
Using Blocks Outside The Editor
tarendai
0
610
Composer_and_WordPress__1_.pdf
tarendai
0
56
REST APIs for Absolute Beginners
tarendai
0
640
VVV 2
tarendai
0
440
WordCamp Europe 2016 - Handling Anxiety
tarendai
1
210
WP The Right Way
tarendai
0
880
Code Deodorant 2014
tarendai
1
560
Adv WP CLI
tarendai
0
520
WP CLI
tarendai
0
410

Other Decks in Technology

See All in Technology
マネジメント3.0モデル入門(120分版)
takufujii
11
2.6k
Power Automateの子フローについて
miyakemito
1
270
DevRel_Japan CONFERENCE 2023
kurotaky
1
570
DevRel/Japan CONFERENCE 2023
1ftseabass
PRO
0
410
権威DNSサービスへのDDoSと
ハイパフォーマンスなベンチマーカ / DNS Pseudo random subdomain attack and High performance Benchmarker
kazeburo
3
680
アプリケーション開発をさらに加速させるフレームワークとCI/CD技術
sbtechnight
PRO
0
330
自動運転レベル4解禁にあたり求められる遠隔監視技術
sbtechnight
PRO
0
490
全ての準備が揃ったElixirへの入門7選 @ fukuoka.ex#53
piacerex
0
370
ChatGPTにR言語を教えてもらう(仮)
doradora09
1
130
CloudFront + S3環境から Cloudflare R2 + Workers環境に移行した話
teckl
3
1.2k
売上と開発環境を同時に改善するためにPerl Webアプリケーションをどのようにリプレイスするか
masashi_sutou
0
140
Linuxのブロックデバイス
sat
PRO
4
1.5k

Featured

See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
117
16k
Practical Orchestrator
shlominoach
178
9k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
Debugging Ruby Performance
tmm1
67
11k
Raft: Consensus for Rubyists
vanstee
130
5.7k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
24
5.1k
BBQ
matthewcrist
75
8.2k
Designing the Hi-DPI Web
ddemaree
273
32k
How to train your dragon (web standard)
notwaldorf
66
4.3k
Done Done
chrislema
178
15k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
14
5.6k
A Modern Web Designer's Workflow
chriscoyier
689
180k

Transcript

  1. Escape From New York
    Tom J Nowell

    View Slide

  2. Validation
    Sanitisation
    Escaping

    View Slide

  3. Validation:
    Is this what it claims to be?

    View Slide

  4. Sanitisation:
    Lets clean up this input

    View Slide

  5. Escaping:
    Making output safe

    View Slide

  6. WordPress.com VIP
    VIP Wrangler - @tarendai

    View Slide

  7. '; DROP TABLE votes'

    View Slide

  8. Search Results For:

    View Slide

  9. Search Results For: [‘s’]; ?>

    View Slide

  10. Test

    View Slide

  11. Test

    View Slide

  12. alert(“hey”);

    View Slide

  13. Search Results For:

    View Slide

  14. Search Results For:

    View Slide

  15. How to Escape

    View Slide

  16. Sanitize early
    Escape Late
    Escape Often

    View Slide

  17. No Data is Safe

    View Slide

  18. <br/>

    View Slide

  19. Escape Everything..?

    View Slide

  20. echo $var;
    echo esc_html( $var );

    View Slide

  21. class=””
    class=””

    View Slide

  22. href=””
    href=””

    View Slide

  23. wp_kses & wp_kses_post

    View Slide

  24. echo apply_filters( ‘the_content’
    wp_kses_post( $content ) );

    View Slide

  25. tomjn.com/escaping

    View Slide

  26. WordPress.com VIP
    VIP Wrangler - @tarendai

    View Slide

  27. automattic.com/work-with-us/vip-wrangler/

    View Slide

  28. Questions?
    Tom J Nowell - WordPress.com VIP
    @tarendai - tomjn.com

    View Slide