[theme-reviewers] Sanitizing Output

Tue Oct 8 20:53:43 UTC 2013

disabled to all but superadmin with multisite :)

On Tue, Oct 8, 2013 at 3:35 PM, Justin Tadlock <justin at justintadlock.com>wrote:

>  I was just about to say the same thing.  If you need a good example of
> how to sanitize this based on the `unfiltered_html` cap, check out the
> WordPress text widget in `wp-includes/default-widgets.php`.
>
>
> On 10/8/2013 3:29 PM, Konstantin Kovshenin wrote:
>
> > a feature in my theme allows user to enter javascript
>
>  Run it through kses on input, also a good idea to check for
> current_user_can( 'unfiltered_html' ); before even showing the option. Note
> that there are some environments where unfiltered html (including js, etc)
> is disabled *for all users* including admins and super admins.
>
>
> On Wed, Oct 9, 2013 at 12:22 AM, Srikanth Koneru <tskk79 at gmail.com> wrote:
>
>> The header footer js codes that are inserted via theme options, do they
>> need to be escaped at all and if so how to do it?
>>
>>
>> On Wed, Oct 9, 2013 at 1:50 AM, Rohit Tripathi <rohitink at live.com> wrote:
>>
>>>  Thanks Chip. :)
>>>
>>>  ------------------------------
>>> Date: Tue, 8 Oct 2013 16:18:09 -0400
>>> From: chip at chipbennett.net
>>>
>>> To: theme-reviewers at lists.wordpress.org
>>> Subject: Re: [theme-reviewers] Sanitizing Output
>>>
>>> The general rule is: sanitize on input, escape on output.
>>>
>>>
>>> On Tue, Oct 8, 2013 at 4:00 PM, Rohit Tripathi <rohitink at live.com>wrote:
>>>
>>>  Yes, I have escaped all the Urls. That's done.
>>>
>>> But, a feature in my theme allows user to enter javascript or html
>>> through the theme options panel, which is sanitized on input. So, I hope I
>>> don't have to sanitize it on the output. Because, if i use functions like
>>> esc_html or esc_js on them, then the whole point of letting theme enter
>>> js/html is lost. So, if i have to sanitize them on output, how do i do
>>> that?
>>>
>>>  Thanks.
>>>
>>>  ------------------------------
>>> Date: Tue, 8 Oct 2013 21:57:44 +0200
>>> From: grapplerulrich at gmail.com
>>> To: theme-reviewers at lists.wordpress.org
>>> Subject: Re: [theme-reviewers] Sanitizing Output
>>>
>>>
>>> No, but it is good to escape it.
>>> On 8 Oct 2013 21:54, "Rohit Tripathi" <rohitink at live.com> wrote:
>>>
>>>  Hello.
>>>
>>>  I am using Options Framework with my theme. I have properly sanitized
>>> all input using all the necessary functions including wp_kses.
>>>
>>>  Is it neccessary to sanitize it on the output?
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>> _______________________________________________ theme-reviewers mailing
>>> list theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>>
>>> _______________________________________________ theme-reviewers mailing
>>> list theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
>
>  --
> Konstantin
>
>
> _______________________________________________
> theme-reviewers mailing listtheme-reviewers at lists.wordpress.orghttp://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20131008/3d72020b/attachment.html>