Rabin Shrestha: Data Validation and Sanitization in WordPress


Published on

Published in: Education
  • Be the first to comment

Rabin Shrestha: Data Validation and Sanitization in WordPress

  1. 1. Data Validation And Sanitization Presented By: Rabin Shrestha sun.ravi90@gmail.com
  2. 2. OverviewDefinitionsWhy Data Validation and Sanitization?Difference between Data Validation andSanitizationGolden rulesSome helper functions in codex
  3. 3. DefinitionsData Validation: Data validation is to makesure that we receive what we expect to receivebefore saving it to database.Data Sanitization: Make the data sane beforeuse i.e. before storing to the database orechoing it to browsers(escaping)
  4. 4. Why Validate and Sanitize Data?Hackers can inject various script (sqlinjection) or XSS(Cross-site Scripting)<script>alert(hacked)</script><script>alert(document.cookie)</script>
  5. 5. Why Validate and Sanitize Data?Can break the output of the website •Use of single quote, double quote can break the outputSpread malware
  6. 6. DifferenceData Validation: If the data is valid we acceptit if not we reject it.Data Sanitization: In contrast to datavalidation, sanitization don‟t reject the wholedata but strips the evil tags and encodes thetags before echoing it to browser.
  7. 7. Still confused??
  8. 8. Lets see this example Source: http://devotepress.com
  9. 9. Remember Golden RuleRule no. 1: Never , Ever, Trust your usersRule no. 2: Validate/sanitize all inputs andescape all outputsRule no.3: Trust WordPress
  10. 10. What does trust Wordpress mean?Functions like the_title(),the_permalink(),the_title_attribute(), the_content() are alreadyescaped by WordPress and are safe dependingupon context.But custom data are not safe e.gget_post_meta()
  11. 11. Some helper Escaping functionsEsc_attr(): Escapes content to be containedinside HTML attributes e.g, title, rel etc. Encodes< > & “ „.Esc_textarea(): Encodes text for use inside<text area> element. Uses htmlspecialcharsfunction of PHP.
  12. 12. Some helper Escaping functions contd..This text contain <scripttype="text/javascript">alert("XSS");</script>here!Esc_url(‘ $url’,(array)$protocols’): Sanitizesurl. Rejects url‟s that don‟t have one of theprovided whitelisted protocols.(defaulting to http,https, ftp, ftps, mailto, news, irc etc)
  13. 13. Some helper Escaping functions contd..Esc_html():This function encodes < > & ” „(less than, greater than, ampersand, doublequote, single quote), letting the browser render itinstead of interpreting it.Esc_js(): Escape single quotes,htmlspecialchar “ < > &. Intended to be used ininline js. For example onclick=“do something”.
  14. 14. Some helper input validating functionsIntval( $int ): Ensures the number is integer.Absint( $int ): Ensures the number is non-negative.Sanitize_text_field(): Strips out extra whitespace,tabs, line breaks and strips tags.
  15. 15. Some helper input validating functions condt..Wp_kses_post(): Sanitize content for allowedHTML tags for post content.wp_kses($string, $allowed_html, $allowed_protocols):Only allowed html tags passed asargument are accepted.
  16. 16. Some helper input validating functions condt..Is_email( $email ): Returns true if the emailaddress is valid.Esc_url_raw(): Escapes url that are to besaved to database.Note: Esc_url is intended for output purposewhile esc_url_raw is intented for databasestorage. Also esc_url doesnot encodes htmlentities.
  17. 17. Sourceshttp://devotepress.com/coding/data-validation-sanitization-wordpress-1/http://devotepress.com/coding/data-validation-sanitization-wordpress-2/http://codex.wordpress.org/Data_Validationhttp://wordpress.tv/2011/09/07/mark-jaquith-jon-cave-brad-williams-plugin-security-showdown/
  18. 18. Thank you!Any Questions?