[theme-reviewers] use of esc_url

Fri Oct 3 15:48:27 UTC 2014

Maybe, maybe not. Depends on how and where it's being used.

Sanitizing or validating values on input is to make sure that the input is
what you expect. If it's a hex color, then you want it to fit the pattern
of a hex color, so that's why the sanitize_hex_color() function exists.

But when you're putting  it back in a document, as output, then you're not
verifying what the value is, but actually making sure that it is properly
escaped for the context in which you are outputting it. If you were
outputting it to an HTML attribute, then you'd actually want to use
esc_attr(). If you were putting it in a URL (maybe as a query parameter
appended on the end of it), then the whole URL should be passed through
esc_url(). If it's going into some javascript, then esc_js() perhaps.

Remember, you're not concerned with what it "is" when creating the output,
but more with where that output is going to be located.

-Otto

On Fri, Oct 3, 2014 at 10:38 AM, Ulrich Pogson <grapplerulrich at gmail.com>
wrote:

> Yes, that would make sense to reuse sanitize_hex_color
> <https://github.com/WordPress/WordPress/blob/master/wp-includes/class-wp-customize-manager.php#L1221>
> ().
>
> On 3 October 2014 17:04, Srikanth Koneru <tskk79 at gmail.com> wrote:
>
>> Probably good time to ask which function should I use to esc the color
>> value I get from customizer via get_theme_mod?
>> Should I simply reuse the sanitize_hex_color?
>>
>> On Fri, Oct 3, 2014 at 7:41 PM, priyanshu mittal <
>> priyanshu.mittal at gmail.com> wrote:
>>
>>> HI Ulrich
>>>
>>>
>>> Thanks for the answer. I will ask users to do this as a required one.
>>>
>>> Thanks
>>> Priyanshu
>>>
>>> On Fri, Oct 3, 2014 at 7:39 PM, Ulrich Pogson <grapplerulrich at gmail.com>
>>> wrote:
>>>
>>>> It is required to escape all data before being outputted anywhere in
>>>> the theme. Security is the top priority.
>>>>
>>>> On 3 October 2014 15:51, priyanshu mittal <priyanshu.mittal at gmail.com>
>>>> wrote:
>>>>
>>>>> Here is my ticket url: https://themes.trac.wordpress.org/ticket/21002
>>>>>
>>>>> I have already sanitized the favicon url before saving it to the
>>>>> database.
>>>>>
>>>>> My Question is do I still need to call the esc_url while outputing it
>>>>> in the html. Is this required or recommended.
>>>>>
>>>>> The main reason I am asking is because recently I am also reviewing a
>>>>> theme which has similar type of code format.
>>>>>
>>>>> So required or recommended?
>>>>>
>>>>>
>>>>> Thanks
>>>>> Priyanshu
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Oct 3, 2014 at 6:57 PM, Justin Tadlock <
>>>>> justin at justintadlock.com> wrote:
>>>>>
>>>>>> We would never have anything so specific as to use `esc_url()` in the
>>>>>> guidelines.  You'd need to use the most appropriate function for the job.
>>>>>> If dealing with URLs, `esc_url()` will usually be your best bet.  Questions
>>>>>> such as this are better handled by looking at the specific case though.
>>>>>> Generic answers/solutions are rarely a good idea when talking about
>>>>>> sanitizing, validating, and/or escaping.
>>>>>>
>>>>>> Here's the guideline:
>>>>>>
>>>>>> "Themes are required to validate and sanitize all untrusted data
>>>>>> before entering data into the database, and to escape all untrusted data
>>>>>> before being output in the Settings form fields or in the Theme template
>>>>>> files (see: Data Validation)"
>>>>>>
>>>>>> See:
>>>>>> https://make.wordpress.org/themes/handbook/guidelines/theme-security-and-privacy/
>>>>>>
>>>>>> On Fri, Oct 3, 2014 at 8:04 AM, priyanshu mittal <
>>>>>> priyanshu.mittal at gmail.com> wrote:
>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> Is that mandatory to use esc_url in the themes. If yes can you
>>>>>>> provide me the link where it has been  mentioned.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Priyanshu
>>>>>>>
>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20141003/1e2817b3/attachment.html>