Profile cover photo
Profile photo
Andrew Nacin
5,143 followers -
WordPress Lead Developer
WordPress Lead Developer

5,143 followers
About
Posts

Post has attachment
The future is now.
Add a comment...

Post has shared content

On Saturday at WordCamp Portland, I'll be presenting on the WP Query API. Despite being leveraged by most theme and plugin developers, few understand how or why it works. Many use it incorrectly or inefficiently, or are simply missing out on many of its awesome features, hooks, and flags.

I'll be walking through the API, how it works, and the things that scare most developers away (but shouldn't). Given how important this API is, the club shouldn't be nearly as exclusive.

My questions for you: What's something you don't know or fully understand and want to hear more of? And what's something you do know that you think would be great for this talk?
Add a comment...

Post has shared content
This is bogus, as usual. Folks, this isn't rocket science: Administrators and editors are allowed to post unfiltered HTML in titles and content. It's been like that for years. Nothing has suddenly changed.

This is a weekly occurrence -- someone supposedly knowledgable about web security publishes a blatantly obvious "How did they miss that?" security vulnerability without doing any testing or research. Everyone believes them and no one searches Google first.

<script>alert(1)</script>? Really? I mean, come on. Yeah, you're right, we totally missed that one. :-)
Wichtig: XSS Lücke in WordPress 3.2.1

Blogs mit mehreren (Gast)Autoren sind von der Schwachstelle betroffen. Um die Lücke auszunutzen, reicht ein Script-Tag im Artikeltitel zu hinterlassen (siehe Screenshot). Der Fehler ist reproduzierbar. Als Beispiel: http://32.wpcoder.de/4/descendingalert1/

Als schneller Bugfix reicht zuerst eine Anpassung in der Datei /wp-includes/post-template.php in der Zeile #52.

Davor:
echo $title;

Danach:
echo wp_strip_all_tags($title);

Ist nicht die eleganteste Lösung, aber sie tut. Man könnte noch weitere Stellen absichern, aber das ist die relevanteste.
Photo
Add a comment...

Post has shared content
Add a comment...

Me: "Do you have sauerkraut?"
Him: "Yes."
Me: "Do you have --"
Him: "Cooked onions?"
Me: "Yep!"
Him: "So you're from New York?"

I present my new favorite half smoke/hot dog street vendor.
Add a comment...

Post has attachment
The future of WordPress: Q&A with founder Matt Mullenweg
Add a comment...

Post has attachment
Last night's Fireworks on the National Mall
Photo
Add a comment...

Post has attachment
Andrew Nacin was tagged in Andrew Nacin's album.
Photo
Commenting is disabled for this post.

Post has attachment
Andrew Nacin changed his profile photo.
Photo
Add a comment...
Wait while more posts are being loaded