Giter Site home page Giter Site logo

security-white-paper's Introduction

The WordPress Security White Paper

The WordPress Security White Paper is available directly on the WordPress.org site on WordPress.org/about/security. The HTML and PDF versions are available here at WordPress's GitHub repository for any updates and/or additions. If you notice any typos or would like to suggest any changes, please contribute a pull request.

Thank you to all who contributed to the initial release and compilation of the white paper: Barry Abrahamson, Michael Adams, Jon Cave, Helen Hou-Sandí, Dion Hulse, Mo Jangda, and Paul Maiorana.

License

The text in the white paper (not including the WordPress logo or trademark) is licensed under CC0 1.0 Universal (CC0 1.0) Public Domain Dedication. You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.

Translations

We’d really love to encourage and help share translations of the white paper to the global WordPress community. If you have a translation to contribute, please add it to the WordPress GitHub repo so others can benefit, too. Pull requests welcome!

To translate the white paper, please create a sub-directory of the project under Working Translations, giving it the correct ISO639 code (for example, pt for Portuguese), and submit a pull request. Once the translation has reached a release / first full translation, we'll move it to its own subdirectory at the top level, and subsequent updates will happen in that location.

New to GitHub? Community member Japh created this screencast video to show you how to get started with translating the white paper.

security-white-paper's People

Contributors

aaroncampbell avatar adipop avatar andywar65 avatar bi0xid avatar cubells avatar dd32 avatar deconf avatar ekajogja avatar elzette avatar evelioml avatar iandunn avatar japh avatar medariox avatar ntwb avatar obenland avatar otto42 avatar ounziw avatar pkevan avatar rgllm avatar sararosso avatar sergeybiryukov avatar tekapo avatar xibe avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

security-white-paper's Issues

Move to Markdown

First of all, thanks for this wonderful document.

I have a proposal - let's move this to markdown - so it's easier to edit and also Pandoc can be used to create automatically versions in different formats (PDF, HTML, etc. ). What do you think, I can send a PR about this.

Improve section about JavaScript in post content

The most common subject of invalid reports that the security team receives is editors and administrators being able to include JavaScript in post content.

Section A3 - Cross Site Scripting (XSS) mentions this, but only briefly. I think this ought to be moved into its own heading. After all, it's an important security point for people to be aware of.

Comment by Darren Chaker

The issue is, I found no issues and am thankful this Security White Paper is very specific and easy to implement. Keep up the great work! Best, Darren Chaker

Typo?

"Phase 3: Beta. Betas are released, and beta-testers are asked to start reporting bugs. No more commits for new enhancements or feature requests are carried out from this phase on. Third-party plugin and theme authors are encouraged to test their code against the upcoming changes."
I think something is missing on the selected text.

Edit: I am trying to translate, so maybe the phrase is correct and I do not understand it well.
Thanks!

Ambiguous sentence

Under the A2 - Broken Authentication and Session Management heading is this:

WordPress core software manages user accounts and authentication and details such as the user ID, name, and password are managed on the server-side, as well as the authentication cookies.

I think it is intended to mean this:

WordPress core software manages user accounts and authentication**,** and details such as the user ID, name, and password are managed on the server-side, as as are the authentication cookies.

But it could also mean this:

WordPress core software manages user accounts and authentication and details such as the user ID, name, and password on the server-side, as well as the authentication cookies.

Aprender

Quiero aprender el sistema y funciones de github.

Table of Contents

The HTML and PDF generated versions of the security white paper should have a table of contents at the top for each of the h2 headings.

Clarify and/or correct section about SSRF

HTTP requests issued by WordPress are filtered to prevent access to loopback and private IP addresses. Additionally, access is only allowed to certain standard HTTP ports.

I don't believe this is accurate. Port access configuration is outside of the control of WordPress.

Section on escaping and sanitization functions

There should be a section covering the escaping and sanitization functions that core provides for theme and plugin authors. Even if they're not covered in technical detail, their existence is an important part of the security of WordPress.

Escaping

  • esc_html()
  • esc_attr()
  • esc_url()
  • esc_textarea()
  • esc_js()

Sanitization

  • esc_url_raw()
  • sanitize_key()
  • sanitize_text_field()
  • sanitize_textarea_field()
    ...and probably others.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.