Widget logic security?

  • GabSoftware

    (@gabsoftware)


    14 years, 10 months ago

    Hi,

    I like Widget logic a lot, but after a quick look at the source code, I see that it uses the eval() PHP function and does not seem to sanitize POST input. I would like to know if this plugin is safe to use.

    Regards,

    Gabriel Hautclocq

Viewing 1 replies (of 1 total)
  • alanft

    (@alanft)

    14 years, 10 months ago

    When I first released WL I worried about the simple eval. Since then I took out the warning in the read me as it seemed to worry no one.

    And that’s largely because the code that gets eval’d isn’t from general user data submitted via post/get etc, but as spec’d by the site admin only. Of course that code can include ref to $_GET etc if so desired, but the point of the plugin is to give the admin that max unfiltered flexibility, and the code would need to be sanitised if it does depend on client input. 90%+ of the time, code is purely down to the internal state of WP code via conditional tags etc

    Hope this helps. Also thanks for the chance to air this – it’s been some time since it was last brought up. Quite happy to discuss if things need to change.

Viewing 1 replies (of 1 total)

The topic ‘Widget logic security?’ is closed to new replies.