WordPress Ktai Style Ktai Entry 18 Mac 18

WORDPRESS 2011 8 27 (8 31 ) WordBeach Nagoya WordBench

WordPress Ktai Style Ktai Entry 18 Mac 18 http://www.yuriko.net/ @lilyfanjp

PHP WordPress ( )

WordPress

function the_content($more_link_text=null,$stripteaser=0, $more_file='') { } $content = get_the_content($more_link_text, $stripteaser, $more_file); $content = apply_filters('the_content', $content); $content = str_replace(']]>', ']]>', $content); echo $content; function strip_del($content) { } $content = preg_replace('#<del[^>]*>.*?</del>\\s*#s', '', $content); return $content; add_filter('the_content', 'strip_del');

Delete Del

Codex http://wpdocs.sourceforge.jp/ _API/ http://wpdocs.sourceforge.jp/ _API/ wp- includes/post.php wp- includes/post- template.php wp- includes/pluggable.php

PHP PHP UTF- 8 BOM LF (CRLF ) EmEditor, PSPad,,....app, Jedit, CotEditor, SubEthaEdit,... vi, Emacs OK

/*! Plugin Name: Plugin URI: Description: Version: (x.y.z) Author: Author URI: */!

/* Plugin Name: Delete Del Version: 0.7.0 Author: IKEDA Yuriko */ function strip_del($content) { } $content = preg_replace('#<del[^>]*>.*?</del>\\s*#s', '', $content); return $content; add_filter('the_content', 'strip_del');

( ) 1 WordPress wp-

http://wordpress.org/extend/plugins/ README Subversion

Developer Center

HTML Codex http://wpdocs.sourceforge.jp/data_validation XSS

XSS Cross Site Scripting

CSRF Cross Site Request Forgeries wp_nonce nonce_field(), check_admin_referer()

SQL SQL $wpdb->prepare()! $_GET, $_POST, $_SESSION addslashes()!

wp- config.php OS /etc/hosts../ validate_file()

HTTP HTTP CRLF header() (PHP 4.4.2+, 5.1.2+) wp_redirect(), wp_safe_redirect()

?? URL??? $count = intval($count);! if (!is_string($_post['fullname']) ) { wp_die(' '); }! $link= esc_url_raw($link);! if (!is_email($addr) ) { wp_die(' '); }! $path = validate_file($_post['path']);

XSS echo $_GET['fullname']! intval():! esc_html(): HTML! esc_attr():! esc_url(): URL! esc_js():!

HTML printf('<a href="%s" title="%s">%s</a>', esc_url($url), esc_attr($title), esc_html($link));!

SQL $sql = $wpdb->prepare("select * FROM `{$wpdb->prefix}ktaisession` WHERE sid = %s", $sid);! $result = $wpdb->get_row($sql);!

WordPress WordPress : the_content HTML default- filters.php the_content $_GET,$_SERVER

??? HTML SQL

0x17 HTML <s> </s>! <script>alert();</script>! URL javascript:alert(); SQL ' OR 1=1;! -_-.@example.com! "i,yuriko"@example.jp!

Windows UNIX Windows WebMatrix Mac Boot Camp Virtualbox

http://www.yuriko.net/tag/slides/ http://wordbeach.org/