[theme-reviewers] use of esc_url
Ulrich Pogson
grapplerulrich at gmail.com
Fri Oct 3 15:38:06 UTC 2014
Yes, that would make sense to reuse sanitize_hex_color
<https://github.com/WordPress/WordPress/blob/master/wp-includes/class-wp-customize-manager.php#L1221>
().
On 3 October 2014 17:04, Srikanth Koneru <tskk79 at gmail.com> wrote:
> Probably good time to ask which function should I use to esc the color
> value I get from customizer via get_theme_mod?
> Should I simply reuse the sanitize_hex_color?
>
> On Fri, Oct 3, 2014 at 7:41 PM, priyanshu mittal <
> priyanshu.mittal at gmail.com> wrote:
>
>> HI Ulrich
>>
>>
>> Thanks for the answer. I will ask users to do this as a required one.
>>
>> Thanks
>> Priyanshu
>>
>> On Fri, Oct 3, 2014 at 7:39 PM, Ulrich Pogson <grapplerulrich at gmail.com>
>> wrote:
>>
>>> It is required to escape all data before being outputted anywhere in the
>>> theme. Security is the top priority.
>>>
>>> On 3 October 2014 15:51, priyanshu mittal <priyanshu.mittal at gmail.com>
>>> wrote:
>>>
>>>> Here is my ticket url: https://themes.trac.wordpress.org/ticket/21002
>>>>
>>>> I have already sanitized the favicon url before saving it to the
>>>> database.
>>>>
>>>> My Question is do I still need to call the esc_url while outputing it
>>>> in the html. Is this required or recommended.
>>>>
>>>> The main reason I am asking is because recently I am also reviewing a
>>>> theme which has similar type of code format.
>>>>
>>>> So required or recommended?
>>>>
>>>>
>>>> Thanks
>>>> Priyanshu
>>>>
>>>>
>>>>
>>>> On Fri, Oct 3, 2014 at 6:57 PM, Justin Tadlock <
>>>> justin at justintadlock.com> wrote:
>>>>
>>>>> We would never have anything so specific as to use `esc_url()` in the
>>>>> guidelines. You'd need to use the most appropriate function for the job.
>>>>> If dealing with URLs, `esc_url()` will usually be your best bet. Questions
>>>>> such as this are better handled by looking at the specific case though.
>>>>> Generic answers/solutions are rarely a good idea when talking about
>>>>> sanitizing, validating, and/or escaping.
>>>>>
>>>>> Here's the guideline:
>>>>>
>>>>> "Themes are required to validate and sanitize all untrusted data
>>>>> before entering data into the database, and to escape all untrusted data
>>>>> before being output in the Settings form fields or in the Theme template
>>>>> files (see: Data Validation)"
>>>>>
>>>>> See:
>>>>> https://make.wordpress.org/themes/handbook/guidelines/theme-security-and-privacy/
>>>>>
>>>>> On Fri, Oct 3, 2014 at 8:04 AM, priyanshu mittal <
>>>>> priyanshu.mittal at gmail.com> wrote:
>>>>>
>>>>>> Hi
>>>>>>
>>>>>> Is that mandatory to use esc_url in the themes. If yes can you
>>>>>> provide me the link where it has been mentioned.
>>>>>>
>>>>>> Thanks
>>>>>> Priyanshu
>>>>>>
>>>>>> _______________________________________________
>>>>>> theme-reviewers mailing list
>>>>>> theme-reviewers at lists.wordpress.org
>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> theme-reviewers mailing list
>>>>> theme-reviewers at lists.wordpress.org
>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20141003/3782f124/attachment-0001.html>
More information about the theme-reviewers
mailing list