Changeset 379407

Timestamp:

05/01/2011 07:30:20 AM (15 years ago)

Author:

ldebrouwer

Message:

Added support for detecting javascript in the plugin headers

Location:

wp-plugin-security-check/trunk

Files:

• readme.txt (modified) (2 diffs)
• wp-plugin-security-check.php (modified) (4 diffs)

wp-plugin-security-check/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 3.1
 Tested up to: 3.1.1
-Stable tag: 0.3
+Stable tag: 0.4
 
 WP Plugin Security Check checks if your WordPress plugins are 'safe'.
@@ -31 +31 @@
 == Changelog ==
 
+= 0.4 =
+* Added support for detecting javascript in the plugin headers.
+* Squashed a minor bug. Thanks to Julio Potier.
+
 = 0.3 =
 * Added another way to check for image files to reduce the number of false positives.

wp-plugin-security-check/trunk/wp-plugin-security-check.php

@@ -4 +4 @@
  * Plugin URI: http://www.lucdebrouwer.nl/wordpress-plugin-wp-plugin-security-check/
  * Description: WP Plugin Security Check checks if your WordPress plugins are 'safe'.
- * Version: 0.3
+ * Version: 0.4
  * Author: Luc De Brouwer
  * Author URI: http://www.lucdebrouwer.nl/
@@ -46 +46 @@
         return false;
     }
+}
+
+function LDB_wp_plugin_security_check_data( $plugin ) {
+    $hit = false;
+    foreach( $plugin as $key => $value ){
+        $regexp = '/<script/';
+        if( preg_match_all( $regexp, strtolower( $value ), $matches ) ) {
+            $hit = true;
+        }
+    }
+    return $hit;
 }
 
@@ -160 +171 @@
     $safe = true;
     $class = 'safe';
+    $data_hit = LDB_wp_plugin_security_check_data( $plugins[$plugins_keys[$p]] );
+    if( $data_hit ) {
+        $class = 'unsafe';
+        $hitlist[] = array( array('Javascript detected in plugin headers', 'warning') );
+    }
     for( $f = 0, $fc = count( $plugin_files ); $f < $fc; $f++ ){
         $hit = LDB_wp_plugin_security_check( $plugin_files[$f] );
@@ -177 +193 @@
 ?>
                 <div class="wp_plugin_security_check_plugin <?php if( $safe ){ echo $class; } else { echo $class; }?>">
-                    <h4><?php echo $plugins[$plugins_keys[$p]]['Name']; ?></h4>
+                    <h4><?php echo esc_attr($plugins[$plugins_keys[$p]]['Name']); ?></h4>
 <?php
     if( count( $hitlist ) > 0 ){