From ecc368a839624666019b2f055d0f3d87934bf6c9 Mon Sep 17 00:00:00 2001 From: kink Date: Tue, 14 Jun 2005 11:32:39 +0000 Subject: [PATCH] Argh, didn't re-read my own text.. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@9607 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- doc/Development/plugin.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/Development/plugin.txt b/doc/Development/plugin.txt index 7ab2dc0b..d5266cbc 100644 --- a/doc/Development/plugin.txt +++ b/doc/Development/plugin.txt @@ -1319,12 +1319,12 @@ scope automatically. There is nothing more to do than this: Security considerations ----------------------- -All plugins should consider the security implications of their plugin. -Of course, if you call external programs you have to use great care, -but the following issues are important to nearly every plugin. +All plugin authors should consider the security implications of their +plugin. Of course, if you call external programs you have to use great +care, but the following issues are important to nearly every plugin. - Escape any untrusted data before you output it. This is to prevent -cross site scripting attachs. It means that you have to htmlspecialchar() +cross site scripting attacks. It means that you have to htmlspecialchars() every variable that comes in through the URL, a mail message or other external factors, before outputting it. @@ -1332,7 +1332,7 @@ external factors, before outputting it. enabled. If you just call hooks, your hooks won't be called when the plugin is disabled, but if you also supply extra .php files, you should check if they perform any function if accessed directly. If they do, you -should check at the start of that file if the plugin is enabled in the +should check at the start of that file whether the plugin is enabled in the config, and if not, exit the script. Example: global $plugins; if ( !in_array('mypluginname', $plugins) ) { -- 2.25.1