Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Escape From New York

Tom J Nowell
November 01, 2015
Technology
0
660

Escape From New York

A talk on escaping and security in WordPress and PHP

Tom J Nowell

November 01, 2015
Tweet

More Decks by Tom J Nowell

See All by Tom J Nowell
Using Blocks Outside The Editor
tarendai
0
870
Composer_and_WordPress__1_.pdf
tarendai
0
68
REST APIs for Absolute Beginners
tarendai
0
910
VVV 2
tarendai
0
690
WordCamp Europe 2016 - Handling Anxiety
tarendai
1
420
WP The Right Way
tarendai
0
1k
Code Deodorant 2014
tarendai
1
680
Adv WP CLI
tarendai
0
660
WP CLI
tarendai
0
600

Other Decks in Technology

See All in Technology
Classmethod AI Talks(CATs) #16 司会進行スライド(2025.02.12) / classmethod-ai-talks-aka-cats_moderator-slides_vol16_2025-02-12
shinyaa31
0
110
Oracle Cloud Infrastructure:2025年2月度サービス・アップデート
oracle4engineer
PRO
1
220
表現を育てる
kiyou77
1
210
ユーザーストーリーマッピングから始めるアジャイルチームと並走するQA / Starting QA with User Story Mapping
katawara
0
210
君も受託系GISエンジニアにならないか
sudataka
2
430
Swiftの “private” を テストする / Testing Swift "private"
yutailang0119
0
130
PHPカンファレンス名古屋-テックリードの経験から学んだ設計の教訓
hayatokudou
2
330
あれは良かった、あれは苦労したB2B2C型SaaSの新規開発におけるCloud Spanner
hirohito1108
2
610
ビジネスモデリング道場 目的と背景
masuda220
PRO
9
540
エンジニアのためのドキュメント力基礎講座〜構造化思考から始めよう〜(2025/02/15jbug広島#15発表資料)
yasuoyasuo
17
6.8k
RECRUIT TECH CONFERENCE 2025 プレイベント【高橋】
recruitengineers
PRO
0
160
2024.02.19 W&B AIエージェントLT会 / AIエージェントが業務を代行するための計画と実行 / Algomatic 宮脇
smiyawaki0820
14
3.5k

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Documentation Writing (for coders)
carmenintech
67
4.6k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
7.1k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
4
330
Testing 201, or: Great Expectations
jmmastey
42
7.2k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Being A Developer After 40
akosma
89
590k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Rails Girls Zürich Keynote
gr2m
94
13k
Reflections from 52 weeks, 52 projects
jeffersonlam
348
20k

Transcript

  1. Escape From New York Tom J Nowell

  2. Validation Sanitisation Escaping

  3. Validation: Is this what it claims to be?

  4. Sanitisation: Lets clean up this input

  5. Escaping: Making output safe

  6. WordPress.com VIP VIP Wrangler - @tarendai

  7. '; DROP TABLE votes'

  8. Search Results For: <?php echo $_GET[‘s’]; ?>

  9. Search Results For: <?php echo $_GET [‘s’]; ?>

  10. <b>Test</b>

  11. <b>Test</b>

  12. <script>alert(“hey”);</script>

  13. Search Results For: <?php echo esc_html( $_GET[‘s’] ); ?>

  14. Search Results For: <?php echo esc_html( $_GET[‘s’] ); ?>

  15. How to Escape

  16. Sanitize early Escape Late Escape Often

  17. No Data is Safe

  18. <script src='//peniscorp.com/topkek.js'> </script>

  19. Escape Everything..?

  20. echo $var; echo esc_html( $var );

  21. class=”<?php echo $css; ?>” class=”<?php echo esc_attr( $css ); ?>”

  22. href=”<?php echo $url; ?>” href=”<?php echo esc_url( $url ); ?>”

  23. wp_kses & wp_kses_post

  24. echo apply_filters( ‘the_content’ wp_kses_post( $content ) );

  25. tomjn.com/escaping

  26. WordPress.com VIP VIP Wrangler - @tarendai

  27. automattic.com/work-with-us/vip-wrangler/

  28. Questions? Tom J Nowell - WordPress.com VIP @tarendai - tomjn.com