[theme-reviewers] use of esc_url
priyanshu mittal
priyanshu.mittal at gmail.com
Fri Oct 3 14:11:38 UTC 2014
HI Ulrich
Thanks for the answer. I will ask users to do this as a required one.
Thanks
Priyanshu
On Fri, Oct 3, 2014 at 7:39 PM, Ulrich Pogson <grapplerulrich at gmail.com>
wrote:
> It is required to escape all data before being outputted anywhere in the
> theme. Security is the top priority.
>
> On 3 October 2014 15:51, priyanshu mittal <priyanshu.mittal at gmail.com>
> wrote:
>
>> Here is my ticket url: https://themes.trac.wordpress.org/ticket/21002
>>
>> I have already sanitized the favicon url before saving it to the database.
>>
>> My Question is do I still need to call the esc_url while outputing it in
>> the html. Is this required or recommended.
>>
>> The main reason I am asking is because recently I am also reviewing a
>> theme which has similar type of code format.
>>
>> So required or recommended?
>>
>>
>> Thanks
>> Priyanshu
>>
>>
>>
>> On Fri, Oct 3, 2014 at 6:57 PM, Justin Tadlock <justin at justintadlock.com>
>> wrote:
>>
>>> We would never have anything so specific as to use `esc_url()` in the
>>> guidelines. You'd need to use the most appropriate function for the job.
>>> If dealing with URLs, `esc_url()` will usually be your best bet. Questions
>>> such as this are better handled by looking at the specific case though.
>>> Generic answers/solutions are rarely a good idea when talking about
>>> sanitizing, validating, and/or escaping.
>>>
>>> Here's the guideline:
>>>
>>> "Themes are required to validate and sanitize all untrusted data before
>>> entering data into the database, and to escape all untrusted data before
>>> being output in the Settings form fields or in the Theme template files
>>> (see: Data Validation)"
>>>
>>> See:
>>> https://make.wordpress.org/themes/handbook/guidelines/theme-security-and-privacy/
>>>
>>> On Fri, Oct 3, 2014 at 8:04 AM, priyanshu mittal <
>>> priyanshu.mittal at gmail.com> wrote:
>>>
>>>> Hi
>>>>
>>>> Is that mandatory to use esc_url in the themes. If yes can you provide
>>>> me the link where it has been mentioned.
>>>>
>>>> Thanks
>>>> Priyanshu
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20141003/1dde1055/attachment-0001.html>
More information about the theme-reviewers
mailing list