-
(*EDIT: Switched the order of suggested steps to put the one-liner a bit lower-priority. And more seriously, it's the same security posture as "View in Chrome and then copy-paste snippet", and it's a one-off checks, so
🤷 *)Edited by totten -
I've update to add another style of auditing -- in addition to searching for known-suspicious patterns (static analysis), it also tries to preview your templates using example data (dynamic analysis).
Unfortunately, some specific combinations of (
templatexexample-data) will generate extraneous PHP warnings. I updated the instructions to hide that noise. (cv scr audit.php 2>/dev/null -
I think you take me more seriously than I take myself on Friday afternoon! But also I do think you've improved it.
I've seen a few sites hacked that have obscure code that presumably was doing some kind of crypto-mining, it often has stuff like "eval(substr($c, 7))" which should really raise red flags for anyone before the copy and paste it.
-
Thanks for this @totten.
As a note for others, I was getting authorisation errors when running the script but doing so as an admin user solved this for me:
cv --user=[Username] scr /scripts/audit.php 2>/dev/null -
Thanks @wmortada. Updated.
Please register or sign in to comment