[theme-reviewers] help with review
Michael Fields
michael at mfields.org
Sat Dec 24 11:43:55 UTC 2011
Hi Paul,
> also, it is echoing a string without escaping it.
> Author is arguing his code is ok and secure regardless.
> what should I do?
If the value is contained in an attribute, it should always be escaped if it contains a dynamic value. Translated strings are dynamic once translated. This can definitely cause issues with translated strings that include a single quote and the attributes value is enclosed in single quotes. The following is the best way to handle a situation such as this:
<input name="s" type="text" id="s" value="<?php esc_attr_e( 'Search', WEBFISH_THEME_NAME . '-theme' ); ?>"/>
Twenty Eleven provides a similar feature to what the theme author is going for here using the placeholder attribute. You may want to suggest that the author tries something like this instead:
<input type="text" class="field" name="s" id="s" placeholder="<?php esc_attr_e( 'Search', 'twentyeleven' ); ?>" />
My opinion is that the value of the search input be reserved for the search query. The term "Search" in the case is either a label or an action to be taken and should be reserved for the submit button, a label element or a placeholder attribute. Using it as the value of search input is bad form as id decreases usability of the form.
> also, there is no margin below paragraphs, (readability test) - shouldn't that be required?
I believe so. Paragraphs should be easily distinguished from one another.
Best,
-Mike
More information about the theme-reviewers
mailing list