The Settings API doesn't currently do *any* sanitization/validation on its own; it simply provides a callback in which the Theme developer can define the sanitization/validation functinos.<div><br></div><div>So, you need to make sure that the callback defined in register_setting() properly sanitizes the javascript passed into it, and that the Theme properly escapes the javascript on output in the template.</div>
<div><br></div><div>Chip<br><br><div class="gmail_quote">On Thu, Feb 16, 2012 at 8:50 PM, Vicky Arulsingam <span dir="ltr"><<a href="mailto:vicky.arulsingam@gmail.com">vicky.arulsingam@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The theme I'm reviewing:
<a href="http://themes.trac.wordpress.org/ticket/6565" target="_blank">http://themes.trac.wordpress.org/ticket/6565</a> has theme options that allows the user to define their own javascript code.<div>By virtue of using Settings API, is a theme protected against XSS vulnerabilities?</div>
<div>Are there any functions that can be use to sanitize javascript?<br clear="all"><div><br></div>-----<div>Vicky Arulsingam</div><br>
</div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>