[theme-reviewers] esc_url() for all links?
Emil Uzelac
emil at uzelac.me
Sat Aug 30 05:35:44 UTC 2014
Thanks Otto!
On Saturday, August 30, 2014, Otto <otto at ottodestruct.com> wrote:
> This isn't complicated. Really. :)
>
> You don't *have* to escape core functions like this, but you should, just
> to get into the habit of it.
>
> Imagine a situation where a rogue plugin slipped past our filters and did
> bad things. It would be nice to be immune, no?
>
> Not saying that is possible, or even likely, but it doesn't hurt to always
> escape output properly. At minimum, it makes you think about what the
> content could be, and in what context it resides, and how it should be
> displayed.
>
> It doesn't hurt. In weird and rare situations it might help. But, it
> should not be something that reviewers ding you on. I mean, c'mon.
>
>
> -Otto
>
>
> On Fri, Aug 29, 2014 at 11:51 PM, Emil Uzelac <emil at uzelac.me
> <javascript:_e(%7B%7D,'cvml','emil at uzelac.me');>> wrote:
>
>> esc_url will check first and clean when needed:
>> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/formatting.php#L2875
>> .
>>
>> Related and also to append on my previous messages:
>> https://core.trac.wordpress.org/changeset/23527/trunk
>>
>> See:
>>
>> - https://core.trac.wordpress.org/ticket/20771
>> - http://codex.wordpress.org/Data_Validation
>>
>>
>> Otto or Justin are more suitable to answer in details :)
>>
>>
>>
>> On Fri, Aug 29, 2014 at 10:54 PM, Dane Morgan <dane at danemorganmedia.com
>> <javascript:_e(%7B%7D,'cvml','dane at danemorganmedia.com');>> wrote:
>>
>>> Is there a list somewhere of what is an is not escaped?
>>>
>>> What happens if you escape something that is already escaped? Nothing
>>> horrible, right?
>>>
>>>
>>> Zack Tollman wrote:
>>>
>>> It's SO not escaped.
>>>
>>>
>>> --
>>> Sent with Postbox <http://www.getpostbox.com>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> <javascript:_e(%7B%7D,'cvml','theme-reviewers at lists.wordpress.org');>
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> <javascript:_e(%7B%7D,'cvml','theme-reviewers at lists.wordpress.org');>
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140830/7e532e96/attachment.html>
More information about the theme-reviewers
mailing list