[theme-reviewers] esc_url() for all links?
Zack Tollman
tollmanz at gmail.com
Sat Aug 30 05:18:29 UTC 2014
Escaping is usually left to the developer because you need to escape
differently for different situations. For instance, there are two different
URL escaping functions, `esc_url()` (used for printing in HTML) and
`esc_url_raw()` (used for saving to the db), which should be used for
different purposes. Because the `get_` functions don't know how you are
using the data, they are generally not escaped. The `the_` functions are
escaped and have to be because they echo output instead of returning it.
There is no way for you to escape it unless you were to use output
buffering, which is awkward in that situation.
I would also highly encourage you to look at core code when in doubt. You
will usually be able to see clearly if a function is escaping output or
not. Furthermore, if you are not sure, you are usually better off escaping
the data. Escaping it twice would obviously add more overhead (in most
cases a non-significant amount), but is likely a reasonable trade off for
better security.
On Fri, Aug 29, 2014 at 9:51 PM, Emil Uzelac <emil at uzelac.me> wrote:
> esc_url will check first and clean when needed:
> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/formatting.php#L2875
> .
>
> Related and also to append on my previous messages:
> https://core.trac.wordpress.org/changeset/23527/trunk
>
> See:
>
> - https://core.trac.wordpress.org/ticket/20771
> - http://codex.wordpress.org/Data_Validation
>
>
> Otto or Justin are more suitable to answer in details :)
>
>
>
> On Fri, Aug 29, 2014 at 10:54 PM, Dane Morgan <dane at danemorganmedia.com>
> wrote:
>
>> Is there a list somewhere of what is an is not escaped?
>>
>> What happens if you escape something that is already escaped? Nothing
>> horrible, right?
>>
>>
>> Zack Tollman wrote:
>>
>> It's SO not escaped.
>>
>>
>> --
>> Sent with Postbox <http://www.getpostbox.com>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140829/7537d234/attachment.html>
More information about the theme-reviewers
mailing list