Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Escape From New York

Tom J Nowell
November 01, 2015
Technology
0
660

Escape From New York

A talk on escaping and security in WordPress and PHP

Tom J Nowell

November 01, 2015
Tweet

More Decks by Tom J Nowell

See All by Tom J Nowell
Using Blocks Outside The Editor
tarendai
0
830
Composer_and_WordPress__1_.pdf
tarendai
0
68
REST APIs for Absolute Beginners
tarendai
0
880
VVV 2
tarendai
0
670
WordCamp Europe 2016 - Handling Anxiety
tarendai
1
410
WP The Right Way
tarendai
0
990
Code Deodorant 2014
tarendai
1
670
Adv WP CLI
tarendai
0
640
WP CLI
tarendai
0
580

Other Decks in Technology

See All in Technology
C++26 エラー性動作
faithandbrave
2
700
フロントエンド設計にモブ設計を導入してみた / 20241212_cloudsign_TechFrontMeetup
bengo4com
0
1.9k
ブラックフライデーで購入したPixel9で、Gemini Nanoを動かしてみた
marchin1989
1
520
Storage Browser for Amazon S3
miu_crescent
1
140
終了の危機にあった15年続くWebサービスを全力で存続させる - phpcon2024
yositosi
0
280
Wantedly での Datadog 活用事例
bgpat
1
430
アップデート紹介:AWS Data Transfer Terminal
stknohg
PRO
0
180
組織に自動テストを書く文化を根付かせる戦略(2024冬版) / Building Automated Test Culture 2024 Winter Edition
twada
PRO
13
3.6k
権威ドキュメントで振り返る2024 #年忘れセキュリティ2024
hirotomotaguchi
2
730
サーバレスアプリ開発者向けアップデートをキャッチアップしてきた #AWSreInvent #regrowth_fuk
drumnistnakano
0
190
非機能品質を作り込むための実践アーキテクチャ
knih
3
950
プロダクト開発を加速させるためのQA文化の築き方 / How to build QA culture to accelerate product development
mii3king
1
260

Featured

See All Featured
Done Done
chrislema
181
16k
Building an army of robots
kneath
302
44k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
The Language of Interfaces
destraynor
154
24k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
26
1.9k
GraphQLとの向き合い方2022年版
quramy
44
13k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Visualization
eitanlees
146
15k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
1.2k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
A Philosophy of Restraint
colly
203
16k

Transcript

  1. Escape From New York Tom J Nowell

  2. Validation Sanitisation Escaping

  3. Validation: Is this what it claims to be?

  4. Sanitisation: Lets clean up this input

  5. Escaping: Making output safe

  6. WordPress.com VIP VIP Wrangler - @tarendai

  7. '; DROP TABLE votes'

  8. Search Results For: <?php echo $_GET[‘s’]; ?>

  9. Search Results For: <?php echo $_GET [‘s’]; ?>

  10. <b>Test</b>

  11. <b>Test</b>

  12. <script>alert(“hey”);</script>

  13. Search Results For: <?php echo esc_html( $_GET[‘s’] ); ?>

  14. Search Results For: <?php echo esc_html( $_GET[‘s’] ); ?>

  15. How to Escape

  16. Sanitize early Escape Late Escape Often

  17. No Data is Safe

  18. <script src='//peniscorp.com/topkek.js'> </script>

  19. Escape Everything..?

  20. echo $var; echo esc_html( $var );

  21. class=”<?php echo $css; ?>” class=”<?php echo esc_attr( $css ); ?>”

  22. href=”<?php echo $url; ?>” href=”<?php echo esc_url( $url ); ?>”

  23. wp_kses & wp_kses_post

  24. echo apply_filters( ‘the_content’ wp_kses_post( $content ) );

  25. tomjn.com/escaping

  26. WordPress.com VIP VIP Wrangler - @tarendai

  27. automattic.com/work-with-us/vip-wrangler/

  28. Questions? Tom J Nowell - WordPress.com VIP @tarendai - tomjn.com