Title: hellfire88's Replies | WordPress.org --- # hellfire88 [ ](https://wordpress.org/support/users/hellfire88/) * [Profile](https://wordpress.org/support/users/hellfire88/) * [Topics Started](https://wordpress.org/support/users/hellfire88/topics/) * [Replies Created](https://wordpress.org/support/users/hellfire88/replies/) * [Reviews Written](https://wordpress.org/support/users/hellfire88/reviews/) * [Topics Replied To](https://wordpress.org/support/users/hellfire88/replied-to/) * [Engagements](https://wordpress.org/support/users/hellfire88/engagements/) * [Favorites](https://wordpress.org/support/users/hellfire88/favorites/) Search replies: ## Forum Replies Created Viewing 3 replies - 1 through 3 (of 3 total) * Forum: [Reviews](https://wordpress.org/support/forum/reviews/) In reply to: [[Download Manager] dangerous code](https://wordpress.org/support/topic/dangerous-code-1/) * Thread Starter [hellfire88](https://wordpress.org/support/users/hellfire88/) * (@hellfire88) * [12 years, 2 months ago](https://wordpress.org/support/topic/dangerous-code-1/#post-7845005) * yup, that was another component, but yet, run some security checks on your code. none of our GET inputs are filtered and checked against CSR/XSS, this is like opening your user’s sites to everybody. when running ‘RIPS’ over your folder you will see how dangerous your code is. this is simply irresponsible what you’re doing to your users but apparently you dont seem to care at all, just picking up money for your trash. * Forum: [Reviews](https://wordpress.org/support/forum/reviews/) In reply to: [[Download Manager] dangerous code](https://wordpress.org/support/topic/dangerous-code-1/) * Thread Starter [hellfire88](https://wordpress.org/support/users/hellfire88/) * (@hellfire88) * [12 years, 2 months ago](https://wordpress.org/support/topic/dangerous-code-1/#post-7844991) * This is the worst : $download_template_header = trim($_POST[‘download_template_header’]); $download_template_footer = trim($_POST[‘download_template_footer’]); $download_template_pagingheader = trim($_POST[‘download_template_pagingheader’]); $download_template_pagingfooter = trim($_POST[‘download_template_pagingfooter’]); $download_template_none = trim( $_POST[‘download_template_none’]); $download_template_category_header = trim( $_POST[‘download_template_category_header’]); $download_template_category_footer = trim($_POST[‘download_template_category_footer’]); $download_template_listing[] = trim($_POST[‘download_template_listing’]); $download_template_listing[] = trim( $_POST[‘download_template_listing_2’]); $download_template_embedded[] = trim( $_POST[‘download_template_embedded’]); $download_template_embedded[] = trim($ _POST[‘download_template_embedded_2’]); $download_template_download_page_link = trim($_POST[‘download_template_download_page_link’]); $download_template_most[] = trim($_POST[‘download_template_most’]); $download_template_most[] = trim($_POST[‘ download_template_most_2’]); $update_download_queries = array(); * this against all good practices, filling templates with unfiltered post variables; Seriously, if you have any locality toward your users, you must take this component down and warn your user about possible CSR and XSS attacks. In the mean time verify [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet) with your code. its like your users sites to all sort of attacks…jeez * Forum: [Reviews](https://wordpress.org/support/forum/reviews/) In reply to: [[Download Manager] dangerous code](https://wordpress.org/support/topic/dangerous-code-1/) * Thread Starter [hellfire88](https://wordpress.org/support/users/hellfire88/) * (@hellfire88) * [12 years, 2 months ago](https://wordpress.org/support/topic/dangerous-code-1/#post-7844990) * simply take one of the scanners from here: [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html](http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html) and scan your source folder, there are so many buffer overflow and wrong escaping issues that you will busy for quite a while to fix them all; and again, please read at least some PHP security books and go through your code line by line Viewing 3 replies - 1 through 3 (of 3 total)