[theme-reviewers] Why Rigorous Review of Theme Functional Files is Important

Otto otto at ottodestruct.com
Thu Jan 30 16:47:33 UTC 2014 

On Thu, Jan 30, 2014 at 10:35 AM, Srikanth Koneru <tskk79 at gmail.com> wrote:

> If i add 'capability' => 'unfiltered_html' then can i skip
> 'sanitize_callback' => 'prefix_sanitize_integer' ?
>


.. I'm not sure that that question actually makes sense.

If you were allowing only integer inputs, then you wouldn't also require
the unfiltered_html capability.

- Capability determines "who" is allowed to change a setting.
- Sanitization is used to make sure that the value they put into a setting
is valid.

So, if a setting should only have integers in it, then 'sanitize_callback'
=> 'absint' would be what you want to use.

If only people with the ability to post raw HTML should have access to a
setting, then it should have 'capability' => 'unfiltered_html'.

These two things are somewhat different in nature, and ideally you will
have both for all cases.

For example, having 'capability' => 'edit_theme_options' makes sense for
almost all cases, because if a user isn't allowed to edit theme options,
then they shouldn't really be in the customizer. This is why this is the
default for customizer-settings.

But for some cases, you're allowing users to change other things through
the customizer. For example, the core blog-name is exposed in the
customizer, using 'capability' => 'manage_options'. This means that only
people who have manage_options (admins, basically) can change that setting.

The sanitize_callback, on the other hand, is dealing with what happens
*after* they submit the setting. Before it's saved in the database, you
want to make sure it looks like what it is supposed to look like. If it's
supposed to be an HTML color, then you'd run it through sanitize_hex_color.
If it's supposed to be an integer, then you'd run it through intval or
absint. That sort of thing.

-Otto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140130/d4829e2e/attachment.html>

More information about the theme-reviewers mailing list