Getting plugged in - part two: security
The security of any code should be of the utmost importance but, if creating a plugin that might be distributed to other people's sites, it should be paramount.
It's one thing messing up your own site but another entirely breaking someone else's when they've put their trust in what you've written.
As we established last time, this series covers the process of improving my "Likes and Replies" WordPress plugin. This is a relatively simple piece of code that doesn't do much (yet) but it's still good to ensure it's as secure as it can be and get into good habits.
First steps
It is best practice to prevent direct access to plugin files meaning they can only be used within the context of a WordPress installation. This is done by adding the following to the start of any PHP files:
if (!defined('ABSPATH')) exit; // Don't run if accessed directly
ABSPATH is the absolute path to the WordPress installation directory and is defined by WordPress itself. If this is not available to the plugin it is not being run within the context of an installation.
We are relying on user input in the form of a URL to add likes or replies so should take steps to ensure that this is properly encoded and valid. We can use esc_url() to do this which removes invalid or dangerous characters.
Getting the address entered into the custom field then becomes:
$mentionurl = esc_url(get_post_meta($id, $type, true));
I had already made a change to the code replacing file_get_contents() with wp_remote_get() as the former was considered insecure.
A good start
With a more complex plugin additional protection may be required, like sanitising inputs which I, no doubt, will have to do later if I am able to meet my goals.
This is a good start to the learning process but I now need to work on my priorities for what to tackle next.
https://colinwalker.blog/wp-content/uploads/2017/05/Sonant-Thoughts-Episode-18-Getting-Distracted.m4a
Some thoughts on boredom, distraction and the self-application of labels to make us feel less different. Links: Webmentions directory Getting Plugged In – Part 1 Getting Plugged In – Part 2
Subscribe: via RSS or iTunes
Share this:
Twitter Facebook
Numerous tutorials exist for adding and using meta boxes; some manage to make it seem like a dark art by rushing through too much in one go without explaining exactly what is going on. This isn’t going to be a guide, more a detailing of the steps I have taken to get a meta box in place for adding the ‘liked’ and ‘reply’ custom fields on posts then converting those into #indieweb webmention links. Display a simple meta box This is the easy bit, and I actually mean easy. WordPress provides the
add_meta_boxeshook andadd_meta_box()function to easily register a custom box. We first need to create a function which callsadd_meta_box()then add that function as an action to theadd_meta_boxeshook:function landr_custom_meta() { add_meta_box( 'landr_meta', 'Like and Replies', 'landr_meta_callback', 'post' ); }add_action( 'add_meta_boxes', 'landr_custom_meta' ); The
add_meta_box()function needs four parameters although more can be used to control where the meta box sits on the page, these are: ID, the box title, a callback function which actually does the work, and the type of post we want it to be used with. Just to prove everything is set up properly a callback function can be created:function landr_meta_callback() { echo 'Likes and replies go here.'; }And, just like that we have a meta box.It doesn’t do anything yet, but it was easy to create. Now comes the fun stuff. Adding fields and saving values Getting the required fields in is just a case of adding some standard HTML (so I won’t go in to that here) ensuring that the fields are named properly so they can be referenced later. With the fields added we need to be able to write their values to the database if they have been populated. Another function coming up added as an action to the
save_posthook. As we saw before, security is paramount when dealing with WordPress plugins. Because we are dealing with something that can write to the WordPress database we need to ensure that this is handled securely. There are two steps to take: firstly, adding a nonce (number used once) field to the meta box which will prevent improper access, and double-checking that the person trying to save the data is allowed to do so://create noncewp_nonce_field( basename( <strong>FILE</strong> ), 'landr_nonce' );
//check if nonce exists and is verified
if ( ! isset( $_POST[ 'landr_nonce'] ) ) { return; }
if ( ! wp_verify_nonce( $_POST['landr_nonce'], basename( <strong>FILE</strong> ) ) ) { return; }
//check permission to edit post
if ( ! current_user_can( 'edit_post', $post_id ) ) { return; } The ‘liked’ or ‘reply’ values can then be written to the postmeta table using
add_post_meta()ready to be converted into webmention links.if ( isset( $_POST['liked-url'] ) ) { $liked_url = sanitize_text_field( $_POST['liked-url'] ); add_post_meta( $post_id, 'Liked', $liked_url ); }if ( isset( $_POST['reply-url'] ) ) { $reply_url = sanitize_text_field( $_POST['reply-url'] ); add_post_meta( $post_id, 'Reply', $reply_url ); } Webmentions Previously, the plugin used the
content_save_prehook to add the webmention link to the start of the post content. With the new code linked tosave_postit wasn’t going to work as it fires aftercontent_save_pre. The original code to write the link was modified slightly and moved into the same function so everything is processed at the same time. It needs some tidying up but the updated plugin can be viewed in the GitHub repository.Share this:
Twitter Facebook
<a href="https://colinwalker.blog/2017/05/22/getting-plugged-in-part-4-meta-boxes/">→ May 22nd, 2017</a>