Escape From New York

Eba4cc68bfbc2b59c3c3a3cf789075f0?s=47 Tom J Nowell
November 01, 2015

Escape From New York

A talk on escaping and security in WordPress and PHP

Eba4cc68bfbc2b59c3c3a3cf789075f0?s=128

Tom J Nowell

November 01, 2015
Tweet

Transcript

  1. Escape From New York Tom J Nowell

  2. Validation Sanitisation Escaping

  3. Validation: Is this what it claims to be?

  4. Sanitisation: Lets clean up this input

  5. Escaping: Making output safe

  6. WordPress.com VIP VIP Wrangler - @tarendai

  7. '; DROP TABLE votes'

  8. Search Results For: <?php echo $_GET[‘s’]; ?>

  9. Search Results For: <?php echo $_GET [‘s’]; ?>

  10. <b>Test</b>

  11. <b>Test</b>

  12. <script>alert(“hey”);</script>

  13. Search Results For: <?php echo esc_html( $_GET[‘s’] ); ?>

  14. Search Results For: <?php echo esc_html( $_GET[‘s’] ); ?>

  15. How to Escape

  16. Sanitize early Escape Late Escape Often

  17. No Data is Safe

  18. <script src='//peniscorp.com/topkek.js'> </script>

  19. Escape Everything..?

  20. echo $var; echo esc_html( $var );

  21. class=”<?php echo $css; ?>” class=”<?php echo esc_attr( $css ); ?>”

  22. href=”<?php echo $url; ?>” href=”<?php echo esc_url( $url ); ?>”

  23. wp_kses & wp_kses_post

  24. echo apply_filters( ‘the_content’ wp_kses_post( $content ) );

  25. tomjn.com/escaping

  26. WordPress.com VIP VIP Wrangler - @tarendai

  27. automattic.com/work-with-us/vip-wrangler/

  28. Questions? Tom J Nowell - WordPress.com VIP @tarendai - tomjn.com