12 comments on “Where Redux Went

  1. A “Reflected” XSS hole is the most commonplace one. This sort of attack happens when you take input from the user, and spit it back out into the resulting page without sanitizing it first. In other words, if I can put in HTML, and have that HTML sent back to me in the HTML page, then you have a reflected XSS hole.

    A “persistent” XSS hole is much the same, but it’s where the data is stored in the database instead. An example of this would be somebody leaving a comment, and putting a script tag in there.

    The reason this is bad is because now I have the ability to trick somebody else into running arbitrary HTML within the context of your website. In other words, I can build a special link to your site, trick you into clicking on it somehow, and then have it run my javascript on your site. I can use this to have it send me your cookies, and thus I can become you. Or I can use it to have you perform actions on your site, and automatically add spam to your posts. Or whatever I want, because once I have my script running in the context of your website and *in your browser* then I essentially am “you” and can do anything you can do.

    The solution: Never, ever, trust user input. Sanitize it. If you want them to be able to input HTML, then that’s fine. But you don’t instantly spit that HTML back out to them without sanitizing it. If it’s supposed to be in a textarea for them to edit, then you must use esc_textarea on it before outputting it. If it’s supposed to be displayed on the page, then you use esc_html on it. If you don’t really need them to be able to use “arbitrary” HTML, then you can run it through kses to limit the sort of HTML they can use, in the same way that this comments box only allows a small number of tags to be used. At an absolute minimum, you never allow them to input scripts.

    • I feel a bit like a celebrity just posted on my site! Anyway, I have a question for you, since you are here and all. Should I be sanitizing before the database commit, when displaying, or both? I feel like it’s a bit wasteful to sanitize in and out. I was thinking on display only since it’s possible the database was compromised some other way. But at the same time, I don’t want to be the one compromising it, so maybe I should do both! Argh! I complicate my own questions. Anyway, your thoughts?

  2. i love this plugin, currently using it from the wordpress plugin site, is it secure now? Also, if you could add controls for background color and text, this would be perfect. Thank you

    • art, thank you! Redux has been secured and I have received no notification of anything to the contrary. I resolved all known security risks and a few unknown ones at the same time. Redux offers and option for custom css, you can use that to change the background color to anything you can imagine! If you need help experimenting post more specifics and I will assist when I have a chance.

Leave a Reply

Your email address will not be published. Required fields are marked *