WordPress官方的代码审查意见

在向WordPress官方首次提交插件代码的时候,我收到了对方的反馈邮件。WordPress官方在邮件中对我的代码提出了一些审查意见,其中的内容挺值得学习的,因此在这里分享一下。其实大致意思就两点:一是后端不要信任前端发来的数据,要多做检查和处理,这是做后端的常识;二是尽量使用WordPress已有的API而不要自己直接调用curl。

原文如下:

There are issues with your plugin code.

Please read this ENTIRE email, address all listed issues, and reply to this email with your corrected code attached. It is required for you to read and reply to these emails, and failure to do so will result in significant delays with your plugin being accepted.

Also please remember in addition to code quality, security and functionality, we require all plugins adhere to our guidelines. If you have not yet, please read them:

* https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/

## Please sanitize, escape, and validate your POST calls

When you include POST/GET/REQUEST calls in your plugin, it’s important to sanitize, validate, and escape them. The goal here is to prevent a user from accidentally sending trash data through the system, as well as protecting them from potential security issues.

SANITIZE: All instances where generated content is inserted into the database, or into a file, or being otherwise processed by WordPress, the data MUST be properly sanitized for security. By sanitizing your POST data when used to make action calls or URL redirects, you will lessen the possibility of XSS vulnerabilities. You should never have a raw data inserted into the database, even by a update function, and even with a prepare()  call.

VALIDATE: In addition to sanitization, you should validate all your calls. If a $_POST  call should only be a number, ensure it’s an int()  before you pass it through anything. Even if you’re sanitizing or using WordPress functions to ensure things are safe, we ask you please validate for sanity’s sake. Any time you are adding data to the database, it should be the right data.

ESCAPE: Similarly, when you’re outputting data, make sure to escape it properly, so it can’t hijack admin screens. There are many esc_*()  functions you can use to make sure you don’t show people the wrong data.

In all cases, using stripslashes  or strip_tags  is not enough. You need to use the most appropriate method associated with the type of content you’re processing. Check that a URL is a URL and don’t just be lazy and use sanitize_text  please. The ultimate goal is that you should ensure that invalid and unsafe data is NEVER processed or displayed. Clean everything, check everything, escape everything, and never trust the users to always have input sane data.

Please review this document and update your code accordingly: http://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data

Example:

WordPress comes with an extensive HTTP API that should be used instead of creating your own curl calls. It’s both faster and more extensive. It’ll fall back to curl if it has to, but it’ll use a lot of WordPress’ native functionality first.

https://developer.wordpress.org/plugins/http-api/

—-

Please make sure you’ve addressed ALL issues brought up in this email.

译文:

你的代码有问题。

请阅读整封邮件,处理当中列出的所有问题,并回复这封邮件,附上你修正后的代码。你必须阅读并回复这些邮件,否则你的插件被接受的时间将会被严重推迟。

另外请记得,除了代码质量、安全和功能外,我们要求所有插件都遵循我们的指南。如果你还没有这么做,请先读一读:

* https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/

## 请净化、转义并验证你的POST调用。

当你在你的插件中包含POST/GET/REQUEST调用时,对它们进行净化、验证和转义是很重要的。这样做的目的是阻止用户通过系统发送垃圾数据,并保护他们免受潜在安全问题的侵害。

净化:每当生成的数据需要插入到数据库中,或文件中,或者要被WordPress处理的时候,为了安全,该数据都必须被适当净化。净化action调用或URL重定向所用的POST数据可以减少XSS漏洞。永远不要将一条原始数据插入到数据库中,即便是通过一个update函数,甚至是一个 prepare() 调用。

验证:在净化之外,还要验证你的所有调用。如果一个 $_POST调用应该只是一个数字,在将它传递给任何东西之前,确保它是一个 int() 。即便你正在净化或使用WordPress函数以确保安全,我们还是请求你做个验证以确保合理。每当添加一条数据到数据库中时,它都应该是一条正确的数据。

转义:类似地,当你输出数据的时候,要确保将其正确转义,使其无法劫持控制台屏幕。有很多 esc_*() 函数可以用来确保不会向用户展示错误的数据。

不管在什么情况下,仅仅使用 stripslashes 和 strip_tags 都是不够的。你需要根据正在处理的内容的类型来选择最合适的方法。请确保一个URL确实是一个URL,别偷懒用 sanitize_text 。最终目标是要确保非法和不安全的数据永远不会被处理或显示。清理一切,检查一切,转义一切,永远不要相信用户总是会输入健全的数据。

请回顾这篇文档,并根据它更新你的代码:http://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data

示例:

WordPress提供了大量的HTTP API,你应该使用它们而不是创建你自己的curl调用。这样更快也更具扩展性。这种做法在不得已的情况下会退而使用curl,但会首先使用大量WordPress自身的功能。

https://developer.wordpress.org/plugins/http-api/

—-

请确保你已经解决了这封邮件提到的所有问题。

发表评论

电子邮件地址不会被公开。 必填项已用*标注