[theme-reviewers] Sanitizing Output
Chip Bennett
chip at chipbennett.net
Tue Oct 8 20:18:09 UTC 2013
The general rule is: sanitize on input, escape on output.
On Tue, Oct 8, 2013 at 4:00 PM, Rohit Tripathi <rohitink at live.com> wrote:
> Yes, I have escaped all the Urls. That's done.
>
> But, a feature in my theme allows user to enter javascript or html through
> the theme options panel, which is sanitized on input. So, I hope I don't
> have to sanitize it on the output. Because, if i use functions like
> esc_html or esc_js on them, then the whole point of letting theme enter
> js/html is lost. So, if i have to sanitize them on output, how do i do that?
>
> Thanks.
>
> ------------------------------
> Date: Tue, 8 Oct 2013 21:57:44 +0200
> From: grapplerulrich at gmail.com
> To: theme-reviewers at lists.wordpress.org
> Subject: Re: [theme-reviewers] Sanitizing Output
>
>
> No, but it is good to escape it.
> On 8 Oct 2013 21:54, "Rohit Tripathi" <rohitink at live.com> wrote:
>
> Hello.
>
> I am using Options Framework with my theme. I have properly sanitized all
> input using all the necessary functions including wp_kses.
>
> Is it neccessary to sanitize it on the output?
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
> _______________________________________________ theme-reviewers mailing
> list theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20131008/7eb8c574/attachment-0001.html>
More information about the theme-reviewers
mailing list