Upload File

lessons from wordpress vip - 2016 wilmington, nc wordcampescape outputs / sanitize inputs guiding...

  • Home
  • Documents
  • Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from
18
Lessons from WordPress VIP

Upload: others

Post on 08-Jul-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

Lessons from WordPress

VIP

Page 2: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

Andrew Gray

Partner / CTO

Tayloe Gray

[email protected]

www.tayloegray.com

Facebook.com/TayloeGrayAgency

mailto:[email protected]
Page 3: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

What is WordPress VIP

Provided by Automatic

Private Version of Wordpress.com

Optimized plugins and functions

Automatic Staff Review Of All Code Commits (via SVN)

Unlimited Traffic at a flat monthly fee

Page 4: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

The Site

Page 5: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

The Traffic (one month)

Page 6: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

Stack

Dev on Quickstart

Staging

VIP

Page 7: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

Quickstart

VIP Quickstart is a local development environment for WordPress.com VIP developers. It provides developers with an environment that closely mirrors WordPress.com

Local

VirtualBox

Vagrant

Git

Public Server

Tested with a host running Ubuntu 12.04

Git

Puppet

Page 8: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

My Pain is Your Gain

Page 9: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from
Page 10: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

Coding for Others to Review

Removing Commented-out code

Write for a non-related developer to review

Page 11: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from
Page 12: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

Escape Outputs / Sanitize Inputs

Guiding Principles

Never trust user input.

Escape as late as possible.

Escape everything from untrusted sources (like databases and users), third-parties

(like Twitter), etc.

Never assume anything.

Never trust user input.

Sanitation is okay, but validation/rejection is better.

Never trust user input.

Page 13: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

Sanitize and Escape

sanitize_email()

sanitize_file_name()

sanitize_html_class()

sanitize_key()

sanitize_meta()

sanitize_mime_type()

sanitize_option()

sanitize_sql_orderby()

sanitize_text_field() sanitize_title()

sanitize_title_for_query()

sanitize_title_with_dashes()

sanitize_user()

Intval()

wp_kses()

wp_kses()

esc_textarea()

esc_attr()

esc_js()

esc_url()

validate_file()

Page 14: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

Deploy Via SVN / Git

Code review and testing prior to deployment

VIP Deployments happen when code gets approved, not when scheduled

Coding with settings, All updates must be written into code, or done after

launch.

Page 15: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from
Page 16: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

If it is important, code it yourself

VIP supports / allows limited number of plugins

Skip plugins for basic functionality such as Custom Post Types

Many plugins are overkill

Page 17: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

Stuff they look for

Uncached Functions

Unprefexied Functions / Namespaces

theme_name_function_name()

Failing to check current_user_can()

Arbitrary JavaScript and CSS stored in options or meta

Waiting on Remote API calls

Order By Rand / No LIMIT queries

Skipping the cache with query vars

*_meta as a hit counters

https://developer.wordpress.org/reference/functions/current_user_can/
Page 18: Lessons from WordPress VIP - 2016 Wilmington, NC WordCampEscape Outputs / Sanitize Inputs Guiding Principles Never trust user input. Escape as late as possible. Escape everything from

The Wilmington morning star (Wilmington, N.C.). 1945-08-17

ConocoPhillips Wilmington Refinery, Wilmington, California ... · ConocoPhillips Company for operation ofthe Wilmington Refinery. This petition is submitted by Environmental IntegritY

Agenda - Wilmington Area Planning Council · † Wilmington City Council Briefing † Wilmington City Council Public Works & Transportation Committee † Update state representatives

Samsung Smart Front Load Electric Dryer with Steam Sanitize+ · DVE50R8500V Samsung Smart Front Load Electric Dryer with Steam Sanitize+ 7.5 cu. ft. Capacity DOE Features • Bixby

Wilmington, JHass

How and When to Clean and Sanitize

Maintain Social Distancing Sanitize your hands regularly Always …€¦ · Maintain Social Distancing Sanitize your hands regularly Always Wear a mask

VoiceMask: Anonymize and Sanitize Voice Input on Mobile Devices · 2019. 4. 6. · VoiceMask: Anonymize and Sanitize Voice Input on Mobile Devices Jianwei Qian , Haohua Du , Jiahui

Wilmington, Mass, The Wilmington Crusaderlocalhistory.wilmlibrary.org/sites/default/files/Wilmington-Crusader-1953-06-03.pdfPAGE THETWO WILMINGTON CRUSADER, WEDNESDAY, JUNF 3. 19S3

Great Escapes · Take a day or take a weekend and escape to the estates, entertainment and tax-free shopping of Wilmington and the Brandywine Valley. Start planning your great escape

SANItize box sistema di sanificazione ad ozono

Samsung Front Load Electric Dryer with Steam …DVE45T6200W Samsung Front Load Electric Dryer with Steam Sanitize+ 7.5 cu. ft. Capacity DOE Signature Features Steam Sanitize+ • The

Wilmington Funds

SANITIZE HARDWOOD OIL

Wilmington University 2009-2010 Factbook · Wilmington University 2009-2010 Factbook ... Wilmington College officially became known as Wilmington University in order to better reflect

SANITIZE HARDWOOD OIL - Borma Wachs

SANITIZE DRY HANDS WHILE PURIFYING

Wilmington University

2015 Lincoln Navigator Near Wilmington DE | Lincoln Dealer Serving Wilmington DE

The Wilmington Island Clubwilmingtonislandclub.com/files/2017_WIC_April_Newsletter.pdf · The Wilmington Island Club 501 Wilmington Island Road Savannah, Georgia 31410 Volume 19,

Wilmington, Delaware

UNC Wilmington

Samsung Top Load Electric Dryer with Steam Sanitize+ · Samsung Top Load Electric Dryer with Steam Sanitize+ 7.4 cu. ft. Capacity DOE Signature Features Steam Sanitize+ • The Steam

Document Detective: Review and sanitize documents with … · Document Detective: Review and sanitize documents with confidence Document Detective is an interactive, desktop application

Wilmington, Massachusetts

Wilmington Public Library Wilmington, Mass (UntunjyEmrlocalhistory.wilmlibrary.org/sites/default/files/1966-06-16.pdf · Wilmington Public Library Middlesex Avenue Wilmington, Mass

Exploring Life in 1898 Wilmington & the Wilmington Race Riot with

Wilmington Powerpoint

Wilmington College Cooperating Teachers Wilmington College Cooperating Teachers Virtual Orientation Workshop

Wilmington, North Carolina - CFCI PARKING LOT ADDITIONprotrak.wilmingtonnc.gov/PTDocuments/Uploads/Comments/Plans/CFCFI... · WILMINGTON, NC 27401 WILMINGTON, NORTH CAROLINA MINOR

PORT OF WILMINGTON TERMINAL TARIFF · PORT OF WILMINGTON TERMINAL TARIFF. Issued on January 1, 2020 . BY: GT USA Wilmington, LLC . 1 Hausel Road . Wilmington, DE 19801 . Telephone:

GIVE YOUR HOME THE ULTIMATE CLEAN W ITH SANITIZE …

Wilmington University’s

Girls Leadership Academy of Wilmington | GLOW...Girls Leadership Academy of Wilmington | GLOW WILMINGTON, NC Project Address 4100 Sunglow Drive, Wilmington, NC 28405 Architect(s) LS3P

Samsung Top Load Electric Dryer with Steam Sanitize+