|
|
@@ -1319,12 +1319,12 @@ scope automatically. There is nothing more to do than this:
|
|
|
Security considerations
|
|
|
-----------------------
|
|
|
|
|
|
-All plugins should consider the security implications of their plugin.
|
|
|
-Of course, if you call external programs you have to use great care,
|
|
|
-but the following issues are important to nearly every plugin.
|
|
|
+All plugin authors should consider the security implications of their
|
|
|
+plugin. Of course, if you call external programs you have to use great
|
|
|
+care, but the following issues are important to nearly every plugin.
|
|
|
|
|
|
- Escape any untrusted data before you output it. This is to prevent
|
|
|
-cross site scripting attachs. It means that you have to htmlspecialchar()
|
|
|
+cross site scripting attacks. It means that you have to htmlspecialchars()
|
|
|
every variable that comes in through the URL, a mail message or other
|
|
|
external factors, before outputting it.
|
|
|
|
|
|
@@ -1332,7 +1332,7 @@ external factors, before outputting it.
|
|
|
enabled. If you just call hooks, your hooks won't be called when the
|
|
|
plugin is disabled, but if you also supply extra .php files, you should
|
|
|
check if they perform any function if accessed directly. If they do, you
|
|
|
-should check at the start of that file if the plugin is enabled in the
|
|
|
+should check at the start of that file whether the plugin is enabled in the
|
|
|
config, and if not, exit the script. Example:
|
|
|
global $plugins;
|
|
|
if ( !in_array('mypluginname', $plugins) ) {
|
Thijs Kinkhorst