WORDPRESS 2011 8 27 (8 31 ) WordBeach Nagoya WordBench
WordPress Ktai Style Ktai Entry 18 Mac 18 http://www.yuriko.net/ @lilyfanjp
PHP WordPress ( )
WordPress
function the_content($more_link_text=null,$stripteaser=0, $more_file='') { } $content = get_the_content($more_link_text, $stripteaser, $more_file); $content = apply_filters('the_content', $content); $content = str_replace(']]>', ']]>', $content); echo $content; function strip_del($content) { } $content = preg_replace('#<del[^>]*>.*?</del>\\s*#s', '', $content); return $content; add_filter('the_content', 'strip_del');
Delete Del
Codex http://wpdocs.sourceforge.jp/ _API/ http://wpdocs.sourceforge.jp/ _API/ wp- includes/post.php wp- includes/post- template.php wp- includes/pluggable.php
PHP PHP UTF- 8 BOM LF (CRLF ) EmEditor, PSPad,,....app, Jedit, CotEditor, SubEthaEdit,... vi, Emacs OK
/*! Plugin Name: Plugin URI: Description: Version: (x.y.z) Author: Author URI: */!
/* Plugin Name: Delete Del Version: 0.7.0 Author: IKEDA Yuriko */ function strip_del($content) { } $content = preg_replace('#<del[^>]*>.*?</del>\\s*#s', '', $content); return $content; add_filter('the_content', 'strip_del');
( ) 1 WordPress wp-
http://wordpress.org/extend/plugins/ README Subversion
Developer Center
HTML Codex http://wpdocs.sourceforge.jp/data_validation XSS
XSS Cross Site Scripting
CSRF Cross Site Request Forgeries wp_nonce nonce_field(), check_admin_referer()
SQL SQL $wpdb->prepare()! $_GET, $_POST, $_SESSION addslashes()!
wp- config.php OS /etc/hosts../ validate_file()
HTTP HTTP CRLF header() (PHP 4.4.2+, 5.1.2+) wp_redirect(), wp_safe_redirect()
?? URL??? $count = intval($count);! if (!is_string($_post['fullname']) ) { wp_die(' '); }! $link= esc_url_raw($link);! if (!is_email($addr) ) { wp_die(' '); }! $path = validate_file($_post['path']);
XSS echo $_GET['fullname']! intval():! esc_html(): HTML! esc_attr():! esc_url(): URL! esc_js():!
HTML printf('<a href="%s" title="%s">%s</a>', esc_url($url), esc_attr($title), esc_html($link));!
SQL $sql = $wpdb->prepare("select * FROM `{$wpdb->prefix}ktaisession` WHERE sid = %s", $sid);! $result = $wpdb->get_row($sql);!
WordPress WordPress : the_content HTML default- filters.php the_content $_GET,$_SERVER
??? HTML SQL
0x17 HTML <s> </s>! <script>alert();</script>! URL javascript:alert(); SQL ' OR 1=1;! -_-.@example.com! "i,yuriko"@example.jp!
Windows UNIX Windows WebMatrix Mac Boot Camp Virtualbox
http://www.yuriko.net/tag/slides/ http://wordbeach.org/