[theme-reviewers] esc_url() for all links?

Dane Morgan dane at danemorganmedia.com
Sat Aug 30 14:17:43 UTC 2014 

Yes, Thank you Otto and Zach.

> Emil Uzelac <mailto:emil at uzelac.me>
> Saturday, August 30, 2014 00:35
> Thanks Otto!
>
> On Saturday, August 30, 2014, Otto <otto at ottodestruct.com 
> <mailto:otto at ottodestruct.com>> wrote:
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
> Otto <mailto:otto at ottodestruct.com>
> Saturday, August 30, 2014 00:18
> This isn't complicated. Really. :)
>
> You don't *have* to escape core functions like this, but you should, 
> just to get into the habit of it.
>
> Imagine a situation where a rogue plugin slipped past our filters and 
> did bad things. It would be nice to be immune, no?
>
> Not saying that is possible, or even likely, but it doesn't hurt to 
> always escape output properly. At minimum, it makes you think about 
> what the content could be, and in what context it resides, and how it 
> should be displayed.
>
> It doesn't hurt. In weird and rare situations it might help. But, it 
> should not be something that reviewers ding you on. I mean, c'mon.
>
>
> -Otto
>
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
> Emil Uzelac <mailto:emil at uzelac.me>
> Friday, August 29, 2014 23:51
> esc_urlwill check first and clean when needed: 
> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/formatting.php#L2875. 
>
>
> Related and also to append on my previous messages: 
> https://core.trac.wordpress.org/changeset/23527/trunk
>
> See:
>
>   * https://core.trac.wordpress.org/ticket/20771
>   * http://codex.wordpress.org/Data_Validation
>
>
> Otto or Justin are more suitable to answer in details :)
>
>
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
> Dane Morgan <mailto:dane at danemorganmedia.com>
> Friday, August 29, 2014 22:54
> Is there a list somewhere of what is an is not escaped?
>
> What happens if you escape something that is already escaped? Nothing 
> horrible, right?
>
>
> Zack Tollman <mailto:tollmanz at gmail.com>
> Friday, August 29, 2014 19:46
> Are you trolling me, Emil? ;)
>
> `get_the_permalink()` was added in 3.9.0 to be more consistent with 
> other template tags (e.g., `get_the_title()`, not `get_title()`). It 
> is just a synonym for `get_permalink()`. You shouldn't use it for 
> themes unless you plan to not support < 3.9.0. You can see it in all 
> its glory here: 
> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L99.
>
> Here is `get_permalink()`: 
> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L112. 
> The function concludes with: 
> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L231. 
> At no point is it escaped. When core uses the function for echoing to 
> the screen, it escapes `get_permalink()` 
> (https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L22).
>
> It's SO not escaped.
>
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers

-- 
Sent with Postbox <http://www.getpostbox.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140830/28afbac7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1346 bytes
Desc: not available
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140830/28afbac7/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1391 bytes
Desc: not available
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140830/28afbac7/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1197 bytes
Desc: not available
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140830/28afbac7/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1156 bytes
Desc: not available
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140830/28afbac7/attachment-0003.jpg>

More information about the theme-reviewers mailing list