[theme-reviewers] home_url clarification

[Edward Caissie]

I would go with recommended as well ... and although a patch to core may be
of benefit, I also agree with "late-escaping" as the most correct best
practice.

To be honest I half-expected `get_home_url` to be escaping its output when
I went digging into core and was surprised it wasn't.

Edward Caissie
aka Cais.


On Wed, Jun 19, 2013 at 3:40 PM, Chip Bennett <chip at chipbennett.net> wrote:

> I'd prefer to see it as recommended, with a core patch to return escaped
> output.
>
>
> On Wed, Jun 19, 2013 at 3:36 PM, Otto <otto at ottodestruct.com> wrote:
>
>> On Wed, Jun 19, 2013 at 2:24 PM, Chip Bennett <chip at chipbennett.net>
>> wrote:
>> > Otto, I agree, but if it is something that is outside the Theme's
>> control,
>> > shouldn't it be incumbent upon core (which provides the related filter)
>> to
>> > escape the output?
>>
>> I can see arguments for both sides of that one. Escaping immediately
>> before output is safest. Late-escaping, basically.
>>
>> If you examine the core code currently (trunk), in all of the places I
>> spot checked, when core uses home_url(), it runs it through esc_url()
>> before outputting it. This is also the case for things like
>> admin_url() and such.
>>
>> Twenty-eleven, twelve, and thirteen all esc_url( home_url() ).
>> Twenty-ten notably did not.
>>
>> I would class it as recommended, possibly to move to required in a
>> version or so?
>>
>> -Otto
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20130619/944903a7/attachment.html>