[theme-reviewers] home_url clarification

Chip Bennett chip at chipbennett.net
Wed Jun 19 19:48:10 UTC 2013 

Late-escaping is great, except when it's overkill, and introduces a
needless opportunity for exploit by omission.

Which is easier/safer/more robust?

1) Having all Themes call echo esc_url( home_url( '/' ) )

or

2) Replacing this:

return apply_filters( 'home_url', $url, $path, $orig_scheme, $blog_id );


...with this:

return esc_url( apply_filters( 'home_url', $url, $path, $orig_scheme,
$blog_id ) );


I'm a big fan of late-escaping, but in this case, it's merely a means for
Themes to clean up something that core should already be handling.


On Wed, Jun 19, 2013 at 3:42 PM, Edward Caissie <edward.caissie at gmail.com>wrote:

> I would go with recommended as well ... and although a patch to core may
> be of benefit, I also agree with "late-escaping" as the most correct best
> practice.
>
> To be honest I half-expected `get_home_url` to be escaping its output when
> I went digging into core and was surprised it wasn't.
>
> Edward Caissie
> aka Cais.
>
>
> On Wed, Jun 19, 2013 at 3:40 PM, Chip Bennett <chip at chipbennett.net>wrote:
>
>> I'd prefer to see it as recommended, with a core patch to return escaped
>> output.
>>
>>
>> On Wed, Jun 19, 2013 at 3:36 PM, Otto <otto at ottodestruct.com> wrote:
>>
>>> On Wed, Jun 19, 2013 at 2:24 PM, Chip Bennett <chip at chipbennett.net>
>>> wrote:
>>> > Otto, I agree, but if it is something that is outside the Theme's
>>> control,
>>> > shouldn't it be incumbent upon core (which provides the related
>>> filter) to
>>> > escape the output?
>>>
>>> I can see arguments for both sides of that one. Escaping immediately
>>> before output is safest. Late-escaping, basically.
>>>
>>> If you examine the core code currently (trunk), in all of the places I
>>> spot checked, when core uses home_url(), it runs it through esc_url()
>>> before outputting it. This is also the case for things like
>>> admin_url() and such.
>>>
>>> Twenty-eleven, twelve, and thirteen all esc_url( home_url() ).
>>> Twenty-ten notably did not.
>>>
>>> I would class it as recommended, possibly to move to required in a
>>> version or so?
>>>
>>> -Otto
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20130619/3554dbfc/attachment-0001.html>

More information about the theme-reviewers mailing list