From: kink Date: Tue, 14 Jun 2005 11:32:39 +0000 (+0000) Subject: Argh, didn't re-read my own text.. X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=ecc368a839624666019b2f055d0f3d87934bf6c9;p=squirrelmail.git Argh, didn't re-read my own text.. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@9607 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- diff --git a/doc/Development/plugin.txt b/doc/Development/plugin.txt index 7ab2dc0b..d5266cbc 100644 --- a/doc/Development/plugin.txt +++ b/doc/Development/plugin.txt @@ -1319,12 +1319,12 @@ scope automatically. There is nothing more to do than this: Security considerations ----------------------- -All plugins should consider the security implications of their plugin. -Of course, if you call external programs you have to use great care, -but the following issues are important to nearly every plugin. +All plugin authors should consider the security implications of their +plugin. Of course, if you call external programs you have to use great +care, but the following issues are important to nearly every plugin. - Escape any untrusted data before you output it. This is to prevent -cross site scripting attachs. It means that you have to htmlspecialchar() +cross site scripting attacks. It means that you have to htmlspecialchars() every variable that comes in through the URL, a mail message or other external factors, before outputting it. @@ -1332,7 +1332,7 @@ external factors, before outputting it. enabled. If you just call hooks, your hooks won't be called when the plugin is disabled, but if you also supply extra .php files, you should check if they perform any function if accessed directly. If they do, you -should check at the start of that file if the plugin is enabled in the +should check at the start of that file whether the plugin is enabled in the config, and if not, exit the script. Example: global $plugins; if ( !in_array('mypluginname', $plugins) ) {