So including options that are not functional until activation is not allowed, but having a basic theme that points to a more functional version for sale is allowed? Just want to make sure I understand what the guy did wrong (I thought it was fine because he was clear about what worked and what didn't).<br>
<br><div class="gmail_quote">On 16 August 2012 10:28, Chandra Maharzan <span dir="ltr"><<a href="mailto:maharzan@gmail.com" target="_blank">maharzan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks Otto for explaining. Now, I get it. I have been looking into<br>
Mark Jaquith's video too. :)<br>
<br>
And thanks for taking action on the themes. I don't even want to<br>
mention what I have been through with this guy.<br>
<div class="HOEnZb"><div class="h5"><br>
On Thu, Aug 16, 2012 at 8:09 PM, Otto <<a href="mailto:otto@ottodestruct.com">otto@ottodestruct.com</a>> wrote:<br>
> No, he does escape, just not using esc_html.<br>
><br>
> Use the right function for the right case. If it's inside a <textarea><br>
> then you must use esc_textarea. If it's in an HTML tag as an<br>
> attribute, then you must use esc_attr. If it's a URL of any sort to be<br>
> printed out, then you must use esc_url.<br>
><br>
> All these are valid, but they handle different cases. The problem<br>
> isn't to "use esc_html", it's to use the proper sanitization function<br>
> for the way that the output is being used.<br>
><br>
> Oh, and his crippleware technique is definitely not allowed.<br>
><br>
> I've suspended these themes for the same basic behaviors:<br>
> <a href="http://wordpress.org/extend/themes/adventure" target="_blank">http://wordpress.org/extend/themes/adventure</a><br>
> <a href="http://wordpress.org/extend/themes/adventure-bound-basic" target="_blank">http://wordpress.org/extend/themes/adventure-bound-basic</a><br>
><br>
> -Otto<br>
><br>
><br>
> On Thu, Aug 16, 2012 at 9:19 AM, Chandra Maharzan <<a href="mailto:maharzan@gmail.com">maharzan@gmail.com</a>> wrote:<br>
>> Thanks for chiming in Otto. It doesn't escape HTML (which aren't<br>
>> needed in his case). Doesn't that allow injecting ? And he is using<br>
>> textarea for which textbox could have been used such as URL, or<br>
>> activation code.<br>
>><br>
>> On Thu, Aug 16, 2012 at 8:01 PM, Otto <<a href="mailto:otto@ottodestruct.com">otto@ottodestruct.com</a>> wrote:<br>
>>> On Thu, Aug 16, 2012 at 1:27 AM, Chandra Maharzan <<a href="mailto:maharzan@gmail.com">maharzan@gmail.com</a>> wrote:<br>
>>>> He has Theme options but it doesn't work unless people activate (pay)<br>
>>>> the author. And then he is arguing about sanitation of data fields,<br>
>>>> which Theme Review clearly says to do them (esc_html, esc_attr,etc).<br>
>>>> Someone please enlighten me here.<br>
>>><br>
>>> He's right about the escaping, for the most part. Text areas should<br>
>>> use esc_textarea for sanitization, not esc_html. Similarly, a URL<br>
>>> should use esc_url. Use the correct escape function for the correct<br>
>>> purpose.<br>
>>><br>
>>><br>
>>> -Otto<br>
>>> _______________________________________________<br>
>>> theme-reviewers mailing list<br>
>>> <a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
>>> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
>><br>
>><br>
>><br>
>> --<br>
>> cmans<br>
>> _______________________________________________<br>
>> theme-reviewers mailing list<br>
>> <a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
>> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
> _______________________________________________<br>
> theme-reviewers mailing list<br>
> <a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br>
<br>
<br>
--<br>
cmans<br>
_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
</div></div></blockquote></div><br>