24
edits
Security/ReviewProcess: Difference between revisions
→Detailed Testing Procedures
| Line 129: | Line 129: | ||
** Is that data treated as unsafe (i.e. not used directly in SQL statements or reflected back to other users or admins)? | ** Is that data treated as unsafe (i.e. not used directly in SQL statements or reflected back to other users or admins)? | ||
** Does the plugin alter the login process, add additional users, or grant additional rights to non-admins? | ** Does the plugin alter the login process, add additional users, or grant additional rights to non-admins? | ||
** If a plugin modifies post text (such as creating links out of certain words), does it do the same for user-comments? | |||
*** This is dangerous - a plugin such as this should only allow admins to enter data that will be handled. | |||
* View the settings page for the plugin and test the inputs for cross-site scripting and SQL injection vulnerabilities. | * View the settings page for the plugin and test the inputs for cross-site scripting and SQL injection vulnerabilities. | ||
** Note that some plugins enable the use of unfiltered HTML within the admin page. This behavior is allowed unless the plugin also exposes this functionality to non-admins. | ** Note that some plugins enable the use of unfiltered HTML within the admin page. This behavior is allowed unless the plugin also exposes this functionality to non-admins. | ||