Unfiltered theme settings fields?

It has been recommended to me in previous questions I’ve asked about using non-WPMUdev themes, to remove certain fields from any themes you use in your network due to security risks. Obviously, we don’t want areas where users can inject and run code in their themes.

As a novice, I’m not sure if I can confidently identify what these areas are. I mean comment fields are ok, text widgets are ok, but what are examples of fields that should be removed from themes before using on your network.

Any advice is appreciated.

Thanks!

  • DavidM
    • DEV MAN’s Mascot

    Hi igallery,

    Good question and that actually extends to plugins as well, as there are a number of plugins that could let users use malicious code. Generally though, it would be anything that allows a user to execute unfiltered code.

    For the time being, you may just want to post any specific queries here, so we could take a look with ya! :slight_smile:

    Cheers,

    David

  • DavidM
    • DEV MAN’s Mascot

    Hi igallery,

    I guess you could take any text field in any theme option page as an example. I’d say they would be the best examples really. But examples would include simply anything that’s not filtered, generally text fields or text areas where users can enter information.

    I guess that’s really the main thing to check for right there, text fields of any sort where users can possibly enter malicious code. As long as those fields are filtered they should be safe.

    Web developers should know that, so mentioning just that ought to suffice, I imagine.

    Cheers,

    David

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.