Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Escape From New York

Tom J Nowell
November 01, 2015
Technology
0
670

Escape From New York

A talk on escaping and security in WordPress and PHP

Tom J Nowell

November 01, 2015
Tweet

More Decks by Tom J Nowell

See All by Tom J Nowell
Using Blocks Outside The Editor
tarendai
0
890
Composer_and_WordPress__1_.pdf
tarendai
0
68
REST APIs for Absolute Beginners
tarendai
0
920
VVV 2
tarendai
0
700
WordCamp Europe 2016 - Handling Anxiety
tarendai
1
430
WP The Right Way
tarendai
0
1k
Code Deodorant 2014
tarendai
1
680
Adv WP CLI
tarendai
0
660
WP CLI
tarendai
0
600

Other Decks in Technology

See All in Technology
リポジトリをまるっとAIに食わせるRepomixの話
yamadashy
0
220
組織に持ち込む脅威モデリング
nikinusu
3
670
Cline を知ると世界が広がった(だが、俺は Claude for Desktop で行く)
nassy20
3
190
AWS のポリシー言語 Cedar を活用した高速かつスケーラブルな認可技術の探求 #phperkaigi / PHPerKaigi 2025
ytaka23
7
1.2k
VISITS_20250311_こねくとあいとりおす.pdf
iotcomjpadmin
0
120
入社半年で PTE に! 元海外在住者が語る Google Cloud × G-genで 成長する秘訣
risatube
PRO
0
140
Webブラウザのセキュリティ対策に役立つぞ!!~DevToolsの使い方~
masakiokuda
0
160
ドメインイベントを活用したPHPコードのリファクタリング
kajitack
1
640
OCI Oracle Database Services新機能アップデート(2024/12-2025/02)
oracle4engineer
PRO
2
170
AI活用の壁を超える! 開発組織への普及の秘訣
kouryou
0
560
Microsoft_20250311_AzureIoTPortfolio_PDF.pdf
iotcomjpadmin
0
300
Alpine.js を活用した
Laravel MPA フロントエンド最適化戦略 / Alpine.js MPA
tzmfreedom
1
570

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
The Power of CSS Pseudo Elements
geoffreycrofte
76
5.7k
Building Applications with DynamoDB
mza
93
6.3k
What's in a price? How to price your products and services
michaelherold
244
12k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Facilitating Awesome Meetings
lara
53
6.3k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Building Your Own Lightsaber
phodgson
104
6.3k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
30
4.7k

Transcript

  1. Escape From New York Tom J Nowell

  2. Validation Sanitisation Escaping

  3. Validation: Is this what it claims to be?

  4. Sanitisation: Lets clean up this input

  5. Escaping: Making output safe

  6. WordPress.com VIP VIP Wrangler - @tarendai

  7. '; DROP TABLE votes'

  8. Search Results For: <?php echo $_GET[‘s’]; ?>

  9. Search Results For: <?php echo $_GET [‘s’]; ?>

  10. <b>Test</b>

  11. <b>Test</b>

  12. <script>alert(“hey”);</script>

  13. Search Results For: <?php echo esc_html( $_GET[‘s’] ); ?>

  14. Search Results For: <?php echo esc_html( $_GET[‘s’] ); ?>

  15. How to Escape

  16. Sanitize early Escape Late Escape Often

  17. No Data is Safe

  18. <script src='//peniscorp.com/topkek.js'> </script>

  19. Escape Everything..?

  20. echo $var; echo esc_html( $var );

  21. class=”<?php echo $css; ?>” class=”<?php echo esc_attr( $css ); ?>”

  22. href=”<?php echo $url; ?>” href=”<?php echo esc_url( $url ); ?>”

  23. wp_kses & wp_kses_post

  24. echo apply_filters( ‘the_content’ wp_kses_post( $content ) );

  25. tomjn.com/escaping

  26. WordPress.com VIP VIP Wrangler - @tarendai

  27. automattic.com/work-with-us/vip-wrangler/

  28. Questions? Tom J Nowell - WordPress.com VIP @tarendai - tomjn.com