Forum Replies Created
-
Replies
-
Ok, although I’m not really sure what feedback you are looking for?
1) sanitize_textarea_field is for a textarea field which should be used as per https://developer.mozilla.org/en-US/docs/Web/HTML/Element/textarea
2) I’m not sure this would be more complicated, its simply a nested array passed to a function which you have already outlined.
Hi Anh,
Good job prioritising this – my feedback:
First:
It would be best if all data entry points are sanitized with the most appropriate WordPress function, so this would mean textarea would utilise ‘sanitize_textarea_field’:
https://developer.wordpress.org/reference/functions/sanitize_textarea_field/
Second:
For any field employing ‘wp_kses_post’ (WYSIWYG or Custom), allow developers to pass an optional sub-array of tags/protocols to be allowed using:
https://codex.wordpress.org/Plugin_API/Filter_Reference/pre_kses
which is principally based on:
https://codex.wordpress.org/Function_Reference/wp_kses_allowed_html
Third:
Enforce a minimum of ‘sanitize_textarea_field’ to all custom field types and allow developers to change this, but limited to only one of the built-in WordPress sanitization functions.
Fourth:
Allow developers to bypass WordPress security altogether, (obviously not advised) and implement their own sanitization.
This should only be enabled if a developer (understanding the risks) changes the default setting of sanitize:true to sanitize:custom_callback and provides a working callback function.
Hope this helps,
DavidHi Anh,
Having dry-run the code, I pleased to see this heading in the right direction. Remember to keep this on your to-do list, because security should not be a one-time “set it and forget it” thing, but a constant test, evolution, improvement and refinement of the requirements.
Before release, I suggest you employ some white-hat tactics and ask a core-team (maybe from your Facebook group) to try thwarting or circumventing the sanitization using combinations of complex field groups, custom tables, front-end posting and carefully malformed data.
Thanks,
DavidOops: XSS attack, not XXS attack.
Ok,
But I’m not sure most of your customers will know what they need to do – especially those using MB User Profile and MB FrontEnd Submission where (potentially) anonymous or less trusted users could abuse the system.
I understand your concern regarding managing a whitelist for HTML tags/attributes, but wp_kses_post should handle this without any further configuration required:
https://codex.wordpress.org/Function_Reference/wp_kses_post
Alternatively, at least baseline strip javascript tags/code and links containing javascript as these should never be included in post markup, and can used to create XXS attacks which maliciously affect users browsing the site.
Hi Anh,
As firewalls do, you cannot go wrong implementing a default deny policy when coding. Thus, unless you specifically allow something, you deny it – like whitelisting.
The minimum santization you should incorporate for fields which might contain HTML is KSES:
https://codex.wordpress.org/Function_Reference/wp_kses
https://codex.wordpress.org/Function_Reference/wp_kses_post
https://codex.wordpress.org/Plugin_API/Filter_Reference/pre_ksesAdditionally, create separate allowed HTML tag arrays for back-end admins (more open) and front-end users (less open) which can be amended as per requirements.
If correct, this is quite concerning.
Standard WordPress security should be enabled by default in any plugin or snippet that uses the ecosystem – it should be possible to override this with an option but this should not be necessary in normal circumstances.
Anh, please can you confirm whether this is isolated or across the board.
+1
Can we get an idea when this will be implemented?
Thanks
I would be interested in an integration between Metabox and Buddypress.
There is a plugin which “syncs” (i.e. duplicates) user/xprofile fields:
https://en-gb.wordpress.org/plugins/bp2wp-full-sync/
But it would be better to natively update the fields like Gravity Forms:
https://docs.gravityforms.com/user-registration-add-on/#buddypress-integration
Hope this can be added to the development roadmap.
Regards
Hi Anh,
I suggested a boolean for bi-directional (reciprocal) relationships in this post:
https://metabox.io/support/topic/post-relationships/#post-7797
Hope this helps,
David
