The Open Directory Project 2.Pro
Forum Replies Created
-
Forum: Plugins
In reply to: [Plugin Check (PCP)] OutputNotEscapedThanks Bob, You put it very well and I appreciate it. The policy made no sense to me and I don’t believe the weak defense of them was anything “technical”.
Forum: Plugins
In reply to: [Plugin Check (PCP)] OutputNotEscapedIt looks to me that non-escaped output should simply be reported as a “WARNING” rather than an “error” . A similar situation I am running into is a warning about “WordPress.Security.NonceVerification.Missing” that is reported on an “included” (i.e. a file pulled into the active file from the plugin’s folder). If the included file also contained a form then it certainly could use the nonce to prevent cross site scripting but I don’t see nonces as necessary for each and every “included” page.
I guess my question then is whether the team reviewing plugins considers non-escaped output as an absolute “no-no” or something that should be scrutinized carefully (depending on the source of the displayed content [i.e. trusted or not])?
Forum: Plugins
In reply to: [Plugin Check (PCP)] OutputNotEscaped@bcworkz (@bcworkz) If I “cannot trust DB data” as you say I need to shut down my site and secure the data! I definitely don’t care about displaying “escaped” and false information FROM my own database! Thanks though.
Forum: Plugins
In reply to: [Plugin Check (PCP)] OutputNotEscapedHere are some examples (out of many) from the checker plugin:
FILE: odp_config_files/default_cssForm.php
122 51 ERROR WordPress.Security.EscapeOutput.OutputNotEscaped All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found ‘CONFIG_BLOKT_MAINCAT_H2’.
123 41 ERROR WordPress.Security.EscapeOutput.OutputNotEscaped All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found ‘CONFIG_BLOKT_MAINCAT_H2_MESSAGE’.
125 224 ERROR WordPress.Security.EscapeOutput.OutputNotEscaped All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found ‘$currentodp2DyMainCatH2’.
And my plugin’s code that generates the error
123 … <?php echo CONFIG_BLOKT_MAINCAT_H2; ?>
124 … <?php echo CONFIG_BLOKT_MAINCAT_H2_MESSAGE; ?>
125 … <?php if(isset($currentodp2DyMainCatH2)) {echo $currentodp2DyMainCatH2;}?>
And similar code in my plugin that “fixed” the reported error:
<?php if(isset($currentMainBackgroundColor)) {echo esc_attr($currentMainBackgroundColor);}?>
So the checker requires “esc attr” on every output whether it is from a trusted source or not because (as the documentation says) there might be problems in the future from outputting nontrusted sources. This looks like a false positive to me? And there are literally hundreds of them generated?
Forum: Developing with WordPress
In reply to: The “Plugin Check” PluginThanks! I made a post to the plugin developer’s forum.