Nick Daugherty is WordPress.com VIP Lead Engineer. Here he shares some important information about escaping in code and how that can increase security in WordPress sites anywhere in the world.
If there’s one issue we flag more often than all others in code reviews…it’s escaping.
For starters, we should all agree that escaping (fundamentally, sanitizing input and escaping output) is a critical aspect of web application security. What may be less universally agreed upon is where to escape. On that point, we require “late escaping“- escaping as close as possible to the point of output – and further, we now require it everywhere, always.
You may now be thinking:
“Do I really need to “late escape” everything? Always? Even core WordPress functions?”
We hear you. And, here’s why this is important to us:
In addition to some automated scanning, we manually review every line of code our VIP customers commit to the VIP platform. And…
View original post 601 more words