vip-scanner
vip-scanner copied to clipboard
Automattic
Deprecated: Scan all sorts of themes and files and things! Use PHPCS and the VIP coding standards instead
When working on GitHub issue #255, I have ran into trouble because `filter_files()` only accepts one file type at a time. This would require extra for loops and iterations for...
XSS can come from CSS: ``` ``` ``` BODY{background:url("javascript:alert('XSS')")} body{-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss)} ``` ``` @im\port'\ja\vasc\ript:alert("XSS")'; ``` ``` ``` ``` ``` In external and inline CSS, we should block: - `` with `href`...
Since everything is moving to forced https we should flag when http is hardcoded. Things should always be protocol agnostic as much as possible. (Even if their primary domain is...
All JS that ever runs on the site should be scanned for the various vulnerabilities that can exist in JS - including externally hosted JS. The Scanner should detect, through...
When setting a cache TTL of over 30 days while using a memcache backend, the TTL value is treated as a unix timestamp, which creates unexpected behavior. If the TTL...
Though I hate to admit it, this check actually came from personal experience: I needed to add some additional escaping per WordPress.com VIP's feedback, but I ended up with something...
The scanner can run a query to find posts with the highest number of meta values, and flag any that cross a specified threshold. This would prevent posts with enormous...
Prevents code that exists in comments from getting flagged for being invalid (also refs #18). **Use case:** ``` php // Don't use eval() because WordPress.com VIP will be a sad...
The return value of functions that output should generally not be used. Things like: ``` echo bloginfo( 'name' ); echo the_title(); echo wp_title(); echo esc_html( printf( ... ) ); echo...
Detect use of $wpdb methods to perform direct database queries (query, get_results, get_row, get_var, get_col) without matching caching calls.
Metadata
Owner
Metadata
Deprecated: Scan all sorts of themes and files and things! Use PHPCS and the VIP coding standards instead