有几名External Media without Import的用户向我反馈说插件启用失败,提示语法错误。其中还有一名用户就此问题在github上向我提了一个issue。具体的错误提示是Parse error: syntax error, unexpected T_STRING in …….external-media-without-import.php on line 25。


经过调查与沟通,发现原因是用户使用的PHP版本低于5.3.0,而PHP到了5.3.0才引入名字空间的特性,见PHP 5.3.0 Release Announcement。起初用户以为自己的PHP版本是5.6.30,但依据经验我猜测对方机器上可能有多个PHP版本,并且WordPress使用了较老的PHP。后来用户在自己的WordPress上安装了Display PHP Vesion插件,果然发现WordPress用的是PHP 5.2.17。

因此各位用户如果遇到这个启用失败的问题的话,请用Display PHP Vesion插件查看一下WordPress所用的PHP版本,确保PHP是5.3.0或更高的版本。



8月底的时候External Media without Import插件在github上收到一个pull request。对方指出我的代码存在XSS漏洞。惭愧,直到最近才腾出时间仔细研究他说的问题。插件的1.0.2版本合并了对方的pull request,修复了该漏洞。


这个函数将width 、height 和mime-type等信息通过 urlencode编码后设置为url的参数,然后重定向到该url。在url的响应函数中,我调用了 urldecode读取来这些信息: 继续阅读EMwI插件更新:防XSS攻击




There are issues with your plugin code.

Please read this ENTIRE email, address all listed issues, and reply to this email with your corrected code attached. It is required for you to read and reply to these emails, and failure to do so will result in significant delays with your plugin being accepted.

Also please remember in addition to code quality, security and functionality, we require all plugins adhere to our guidelines. If you have not yet, please read them:

* https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/

## Please sanitize, escape, and validate your POST calls

When you include POST/GET/REQUEST calls in your plugin, it’s important to sanitize, validate, and escape them. The goal here is to prevent a user from accidentally sending trash data through the system, as well as protecting them from potential security issues.

SANITIZE: All instances where generated content is inserted into the database, or into a file, or being otherwise processed by WordPress, the data MUST be properly sanitized for security. By sanitizing your POST data when used to make action calls or URL redirects, you will lessen the possibility of XSS vulnerabilities. You should never have a raw data inserted into the database, even by a update function, and even with a prepare()  call.

VALIDATE: In addition to sanitization, you should validate all your calls. If a $_POST  call should only be a number, ensure it’s an int()  before you pass it through anything. Even if you’re sanitizing or using WordPress functions to ensure things are safe, we ask you please validate for sanity’s sake. Any time you are adding data to the database, it should be the right data.

ESCAPE: Similarly, when you’re outputting data, make sure to escape it properly, so it can’t hijack admin screens. There are many esc_*()  functions you can use to make sure you don’t show people the wrong data.

In all cases, using stripslashes  or strip_tags  is not enough. You need to use the most appropriate method associated with the type of content you’re processing. Check that a URL is a URL and don’t just be lazy and use sanitize_text  please. The ultimate goal is that you should ensure that invalid and unsafe data is NEVER processed or displayed. Clean everything, check everything, escape everything, and never trust the users to always have input sane data.

Please review this document and update your code accordingly: http://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data


WordPress comes with an extensive HTTP API that should be used instead of creating your own curl calls. It’s both faster and more extensive. It’ll fall back to curl if it has to, but it’ll use a lot of WordPress’ native functionality first.



Please make sure you’ve addressed ALL issues brought up in this email.




最近有一个月左右没更新了,因为这个月的业余时间都在忙于一个WordPress插件:External Media without Import。