[theme-reviewers] Sanitizing Output

Justin Tadlock justin at justintadlock.com
Tue Oct 8 20:35:31 UTC 2013 

I was just about to say the same thing.  If you need a good example of 
how to sanitize this based on the `unfiltered_html` cap, check out the 
WordPress text widget in `wp-includes/default-widgets.php`.

On 10/8/2013 3:29 PM, Konstantin Kovshenin wrote:
> > a feature in my theme allows user to enter javascript
>
> Run it through kses on input, also a good idea to check for 
> current_user_can( 'unfiltered_html' ); before even showing the option. 
> Note that there are some environments where unfiltered html (including 
> js, etc) is disabled *for all users* including admins and super admins.
>
>
> On Wed, Oct 9, 2013 at 12:22 AM, Srikanth Koneru <tskk79 at gmail.com 
> <mailto:tskk79 at gmail.com>> wrote:
>
>     The header footer js codes that are inserted via theme options, do
>     they need to be escaped at all and if so how to do it?
>
>
>     On Wed, Oct 9, 2013 at 1:50 AM, Rohit Tripathi <rohitink at live.com
>     <mailto:rohitink at live.com>> wrote:
>
>         Thanks Chip. :)
>
>         ------------------------------------------------------------------------
>         Date: Tue, 8 Oct 2013 16:18:09 -0400
>         From: chip at chipbennett.net <mailto:chip at chipbennett.net>
>
>         To: theme-reviewers at lists.wordpress.org
>         <mailto:theme-reviewers at lists.wordpress.org>
>         Subject: Re: [theme-reviewers] Sanitizing Output
>
>         The general rule is: sanitize on input, escape on output.
>
>
>         On Tue, Oct 8, 2013 at 4:00 PM, Rohit Tripathi
>         <rohitink at live.com <mailto:rohitink at live.com>> wrote:
>
>             Yes, I have escaped all the Urls. That's done.
>
>             But, a feature in my theme allows user to enter javascript
>             or html through the theme options panel, which is
>             sanitized on input. So, I hope I don't have to sanitize it
>             on the output. Because, if i use functions like esc_html
>             or esc_js on them, then the whole point of letting theme
>             enter js/html is lost. So, if i have to sanitize them on
>             output, how do i do that?
>
>             Thanks.
>
>             ------------------------------------------------------------------------
>             Date: Tue, 8 Oct 2013 21:57:44 +0200
>             From: grapplerulrich at gmail.com
>             <mailto:grapplerulrich at gmail.com>
>             To: theme-reviewers at lists.wordpress.org
>             <mailto:theme-reviewers at lists.wordpress.org>
>             Subject: Re: [theme-reviewers] Sanitizing Output
>
>
>             No, but it is good to escape it.
>
>             On 8 Oct 2013 21:54, "Rohit Tripathi" <rohitink at live.com
>             <mailto:rohitink at live.com>> wrote:
>
>                 Hello.
>
>                 I am using Options Framework with my theme. I have
>                 properly sanitized all input using all the necessary
>                 functions including wp_kses.
>
>                 Is it neccessary to sanitize it on the output?
>
>                 _______________________________________________
>                 theme-reviewers mailing list
>                 theme-reviewers at lists.wordpress.org
>                 <mailto:theme-reviewers at lists.wordpress.org>
>                 http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
>             _______________________________________________
>             theme-reviewers mailing list
>             theme-reviewers at lists.wordpress.org
>             <mailto:theme-reviewers at lists.wordpress.org>
>             http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>             _______________________________________________
>             theme-reviewers mailing list
>             theme-reviewers at lists.wordpress.org
>             <mailto:theme-reviewers at lists.wordpress.org>
>             http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
>
>         _______________________________________________
>         theme-reviewers mailing list
>         theme-reviewers at lists.wordpress.org
>         <mailto:theme-reviewers at lists.wordpress.org>
>         http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>         _______________________________________________
>         theme-reviewers mailing list
>         theme-reviewers at lists.wordpress.org
>         <mailto:theme-reviewers at lists.wordpress.org>
>         http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
>
>     _______________________________________________
>     theme-reviewers mailing list
>     theme-reviewers at lists.wordpress.org
>     <mailto:theme-reviewers at lists.wordpress.org>
>     http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
>
>
> -- 
> Konstantin
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20131008/26b11425/attachment-0001.html>

More information about the theme-reviewers mailing list