I manage a couple of WordPress installations here and there. I obviously do everything on this blog, but on the other one I only really handle upgrades and changes to the underlying code. The style is done by a proper designer, and then entries are written by proper marketing people.
Before I had anything to do with the other blog the styles and modifications were simply placed into the existing default theme. This meant that every time there was a WordPress upgrade the changes got overwritten and the blog lost all branding. This meant that updates weren’t being applied quickly, which is a security problem.
When I took over the maintenance the first thing I did was to create a theme for the various CSS changes. The second thing I did was learn how to write a WordPress plugin to turn our code modifications into widgets. It may sound a bit complicated, but it’s not actually that hard if you know even the most basic PHP. The theme itself is just a zip file containing a few fairly standard PHP files and a stylesheet. The plugin is just a simple PHP file that (in this case) spits out some random sections of markup that we want, in the form of a widget that can be managed through WordPress itself.
Now when it comes to making an upgrade I have a test installation that I keep up-to-date with the current one (plugins, posts, comments, etc.) and I test it on there first. Today I upgraded the blog from the last 2.9 version to WordPress 3.0.1 and encountered absolutely no problems whatsoever. That’s how it should be!
Over the last couple of days I noticed that one of the searches bringing people to my site wasn’t showing up in the widget on my dashboard. After going to the Google Analytics page I discovered that the search term was <!– IE 8 quirks mode please –> and it wasn’t showing up because that’s what an HTML comment looks like.
I poked around the Google Analyticator code for a little while and discovered that the data was retrieved from Google and then just included in the output of the dashboard page in WordPress. This could lead to something as simple as search terms not showing up, or turning all of the text after a certain point bold (if a search term was <strong> for instance), or it could lead to particularly nasty people crafting a top search result containing a <script> tag and from there they could do some fairly nasty stuff.
I’ve created a very simple little patch to solve this problem. It basically involves running the data through PHP’s htmlspecialchars() function before it’s printed to the screen.