[theme-reviewers] home_url('/') VS esc_url(home_url('/')) Clarification

Thu Sep 12 20:08:42 UTC 2013

Indeed. I think you drew the line at the right place: recommended.

On 12 September 2013 16:07, Chip Bennett <chip at chipbennett.net> wrote:

> He's talking about this, I think:
>
>
> http://core.trac.wordpress.org/browser/tags/3.6.1/wp-includes/formatting.php#L2660
>
> The value returned by esc_url() is filtered:
>
> return apply_filters('clean_url', $good_protocol_url, $original_url,
> $_context);
>
>
> There are a lot of rabbit holes...
>
>
> On Thu, Sep 12, 2013 at 4:02 PM, Emil Uzelac <emil at uzelac.me> wrote:
>
>> isn't clean_url deprecated<http://codex.wordpress.org/Function_Reference/clean_url>and aren't we suppose to use
>> esc_url() instead?
>>
>>
>> On Thu, Sep 12, 2013 at 2:59 PM, Justin Tadlock <justin at justintadlock.com
>> > wrote:
>>
>>>  `esc_url()` is also filterable via the `clean_url` hook. :)
>>>
>>>
>>> On 9/12/2013 2:56 PM, Kirk Wight wrote:
>>>
>>> Note that get_home_url() (which is used by home_url()) is filterable, so
>>> technically we have no idea what's going to come through; using esc_url(),
>>> even if not required, will always be a good idea.
>>>
>>>
>>> On 12 September 2013 15:30, Zulfikar Nore <zulfikarnore at live.com> wrote:
>>>
>>>>  Thanks for the clarification Chip - Noted :)
>>>>
>>>>  ------------------------------
>>>> Date: Thu, 12 Sep 2013 14:32:55 -0400
>>>> From: chip at chipbennett.net
>>>> To: theme-reviewers at lists.wordpress.org
>>>> Subject: Re: [theme-reviewers] home_url('/') VS esc_url(home_url('/'))
>>>> Clarification
>>>>
>>>>
>>>> I would consider it as *recommended*, since home_url() isn't explicitly
>>>> user-configurable. At the very least, if it's considered as *required*,
>>>> then it is minor enough to leave until the next revision.
>>>>
>>>>
>>>> On Thu, Sep 12, 2013 at 2:30 PM, Zulfikar Nore <zulfikarnore at live.com>wrote:
>>>>
>>>>  As this page:
>>>> http://make.wordpress.org/themes/guidelines/guidelines-theme-security-and-privacy/ has
>>>> since changed I thought I'd ask just to be clear I understand the
>>>> requirements.
>>>>
>>>>  Is esc_url for home_url a requirement or recommended? This page:
>>>> http://codex.wordpress.org/Data_Validation does not state explicitly
>>>> that it is a requirement.
>>>>
>>>>  So if its a requirement - is it a must fix requirement or can it be a
>>>> fix in next revision requirement?
>>>>
>>>>  Thanks in advance,
>>>> Zulf
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>>>
>>>> _______________________________________________ theme-reviewers mailing
>>>> list theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing listtheme-reviewers at lists.wordpress.orghttp://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20130912/eba1a2fe/attachment-0001.html>