Sanitazing

[samikeijonen]

Should there be some kind of sanitazing and validation. Now user (or hacker) can put any evil script in the site. Or am I missing something?

[anttiviljami]

Hi, Sami!

Thanks for your feedback!

This plugin is meant to solely be used by the administrator of the site, who presumedly has full access to the theme anyway.

Please see that the plugin option page is only available to users of the 'administrator' role.

simple-header-footer-html.php row 72:

add_options_page(__('Simple Header Footer HTML', 'seravo-inject-html'), __('Header Footer HTML', 'seravo-inject-html'), 'administrator', __FILE__, 'seravo_build_settings_page', plugins_url('/images/icon.png', __FILE__));

We see this as a non-issue. One of the main uses we see people using this plugin is exactly to inject javascript as if it was directly placed into the theme template, where any script can be placed.

Cheers! Antti

[samikeijonen]

Ah, ok. But remember that most administrator do not have any idea what they are doing, they are just regular users:)

[ottok]

This plugin was custom made due to popular customer demand. So it is needed, at least for our customers, and it has proven to work well for the need. But anyway, thanks for your feedback and hope to read more later!

See https://github.com/Seravo/ for all (or most) of our published code. Repos named wp-* are WordPress plugins or tools.

[samikeijonen]

Yes I have been checking them and the code. Looking good. And don't get me wrong, it's a good thing you are publishing plugins here and wordpress.org. I'm not even sure if there is a function for escaping css or js in WordPress. There is esc_js but not esc_css. I wonder does Jetpack do anything in their custom CSS module.