Technologie

The Morning After – Security Update for Navigation Bar!

Von Nick Bohle 24.September 2009 Artikel drucken Kommentieren Tweet This Share on Facebook

Reading Mark Jaquith's article about PHP $_Server variables made me realize that my tutorial on "How to add a horizontal navigation bar to THE MORNING AFTER" includes improvable coding.

A common security mistake I see WordPress plugin authors (and PHP coders in general) make is using $_SERVER['PHP_SELF'] or $_SERVER['REQUEST_URI'] as the action of a form or part of an anchor’s href attribute. This is not safe to do, and opens your code up to XSS (cross-site scripting) exploits.

To make your navigation bar safer, please apply the following change to your header.php:

Search for

php echo $_SERVER['PHP_SELF']

and replace it with

php echo esc_url( $_SERVER['PHP_SELF'] )

Thank you.

Schlagworte Schlagworte: , , , ,

Diskussion

6 Kommentare für “The Morning After – Security Update for Navigation Bar!”

  1. Many thanks Nick for the update. Miss your insights on the original TMA support forum. Don’t know why Arun have left the forum open for spammers!

    I am not able to implement your tutorial on Highlighted Comments and Snazzy archives. Do they work on WP 2.8 and the new version of TMA?

    Thanks

    Geschrieben von NITYIN | September 24, 2009, 20:43
    Antworten

    • Hi NITYIN!

      Well, my guess is that Arun is busy with other stuff.. doesn’t care…

      The tutorials should work with WP 2.8 or above, but not with the newest version of TMA.

      Maybe I have time to work on this in Oct.

      Regards,
      Nick

      Geschrieben von Nick Bohle | September 24, 2009, 21:36
      Antworten

  2. Thanks for the update Nick.

    Would it be too much of a bother to ask you a question here?

    My question is how to take ‘Description’ off the navigation bar on the homepage.

    If you could help with this question, I would really appreciate it.

    If you do not have time, then I understand.

    I would also like to say ‘thanks’ for everything. Your comments on the TMA forum have been a great help.

    Geschrieben von Franky T | September 26, 2009, 06:56
    Antworten

    • What kind of “Description”?

      Geschrieben von Nick Bohle | September 26, 2009, 10:47
      Antworten

      • Hi Nick
        Suddenly the description page, where I added the info about site is appearing along on top with Home, About, Archives and Contact link. If I make this a sub page to one of the page to hide the link, then the site description disappears. Have a look at my site.

        Geschrieben von NITYIN | Oktober 4, 2009, 20:33
        Antworten

  3. It did not work at my server,but thanks anyway.

    Geschrieben von Fran | Oktober 23, 2009, 21:36
    Antworten

Kommentieren

Mit dem Absenden Ihres Kommentars willigen Sie ein, dass der angegebene Name, Ihre E-Mail-Adresse und die IP-Adresse, die Ihrem Internetanschluss aktuell zugewiesen ist, von mir im Zusammenhang mit Ihrem Kommentar gespeichert werden. Die E-Mail-Adresse und die IP-Adresse werden natürlich nicht veröffentlicht oder sonst weitergegeben. Weitere Informationen...