vip-scanner
vip-scanner copied to clipboard
Automattic
Deprecated: Scan all sorts of themes and files and things! Use PHPCS and the VIP coding standards instead
If a `register_setting` call doesn't include a sanitization callback (3rd param), we should flag that as a blocker.
WordPress' `wp_tempnam()` function ends up writing to the filesystem through PHP's `touch()` and so should probably be a blocker. See ZD ticket 41180 for context
@nickdaugherty once said, "return values should always be checked before calling methods on them"
Add checks per issue #153: > A variant that includes one of > include|require|echo|print|dump|export|open|sock|unlink||eval or does > _not_ include a reference to a superglobal (regex check for$_`) will > fail...
In order for us to build tools that can manage a site/theme's menus, we need to know what the 'primary' location is for the theme - in a predictable manner....
`trigger_error()` doesn't make much sense, as there is no access to the log file this will produce...and if you intentionally throw a fatal error, that's doubly bad. `set_error_handler()` is not...
As per GitHub Issue #216, there are good reasons to use protocol-relevant URLs. This pull request includes some basic scanning for this: - CSS and JS files - PHP files,...
This should be the beginnings of a solution to GitHub issue #255. I used [this "XSS Filter Evasion Cheat Sheet"](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet) as a guide when creating the scans and unit tests....
This should be a solution to GitHub issue #265. I made this change so that when searching for XSS vulnerabilities, I wouldn't have to run through two `foreach ( $this->filter_files()...
Certain VIP approved plugins and libraries are deprecated and should not be used in new projects. The scanner should detect automatically whenever such deprecated code is integrated into a theme.
Metadata
Owner
Metadata
Deprecated: Scan all sorts of themes and files and things! Use PHPCS and the VIP coding standards instead