The Theme has to be fully functional out-of-the-box (i.e. it can't be "crippleware"). The Theme cannot put core WordPress functionality behind a paywall.<div><br></div><div>A Theme can put *additional* options behind a paywall. For example, a Theme can't put all dynamic sidebars behind the paywall, but a Theme can have one or more dynamic sidebars in the free version, and then add *additional* dynamic sidebars in the commercial version.</div>
<div><br></div><div>I don't have a per se problem with all Theme options being available only in the commercial version, provided that the Theme, sans options, is fully functional, and that none of the options locked behind the paywall are core WordPress functionality (Widgets, Custom Header, Custom Background, etc.) But by the same token, Themes should not be inappropriately aggressive about pushing the commercial version. (For example, if a Theme has no functional Theme Options, there is no reason to direct the user to the non-functional Theme Options page upon activation.</div>
<div><br></div><div>Chip<br><br><div class="gmail_quote">On Thu, Aug 16, 2012 at 9:56 AM, Kirk Wight <span dir="ltr"><<a href="mailto:kwight@kwight.ca" target="_blank">kwight@kwight.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
So including options that are not functional until activation is not allowed, but having a basic theme that points to a more functional version for sale is allowed? Just want to make sure I understand what the guy did wrong (I thought it was fine because he was clear about what worked and what didn't).<div class="HOEnZb">
<div class="h5"><br>
<br><div class="gmail_quote">On 16 August 2012 10:28, Chandra Maharzan <span dir="ltr"><<a href="mailto:maharzan@gmail.com" target="_blank">maharzan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks Otto for explaining. Now, I get it. I have been looking into<br>
Mark Jaquith's video too. :)<br>
<br>
And thanks for taking action on the themes. I don't even want to<br>
mention what I have been through with this guy.<br>
<div><div><br>
On Thu, Aug 16, 2012 at 8:09 PM, Otto <<a href="mailto:otto@ottodestruct.com" target="_blank">otto@ottodestruct.com</a>> wrote:<br>
> No, he does escape, just not using esc_html.<br>
><br>
> Use the right function for the right case. If it's inside a <textarea><br>
> then you must use esc_textarea. If it's in an HTML tag as an<br>
> attribute, then you must use esc_attr. If it's a URL of any sort to be<br>
> printed out, then you must use esc_url.<br>
><br>
> All these are valid, but they handle different cases. The problem<br>
> isn't to "use esc_html", it's to use the proper sanitization function<br>
> for the way that the output is being used.<br>
><br>
> Oh, and his crippleware technique is definitely not allowed.<br>
><br>
> I've suspended these themes for the same basic behaviors:<br>
> <a href="http://wordpress.org/extend/themes/adventure" target="_blank">http://wordpress.org/extend/themes/adventure</a><br>
> <a href="http://wordpress.org/extend/themes/adventure-bound-basic" target="_blank">http://wordpress.org/extend/themes/adventure-bound-basic</a><br>
><br>
> -Otto<br>
><br>
><br>
> On Thu, Aug 16, 2012 at 9:19 AM, Chandra Maharzan <<a href="mailto:maharzan@gmail.com" target="_blank">maharzan@gmail.com</a>> wrote:<br>
>> Thanks for chiming in Otto. It doesn't escape HTML (which aren't<br>
>> needed in his case). Doesn't that allow injecting ? And he is using<br>
>> textarea for which textbox could have been used such as URL, or<br>
>> activation code.<br>
>><br>
>> On Thu, Aug 16, 2012 at 8:01 PM, Otto <<a href="mailto:otto@ottodestruct.com" target="_blank">otto@ottodestruct.com</a>> wrote:<br>
>>> On Thu, Aug 16, 2012 at 1:27 AM, Chandra Maharzan <<a href="mailto:maharzan@gmail.com" target="_blank">maharzan@gmail.com</a>> wrote:<br>
>>>> He has Theme options but it doesn't work unless people activate (pay)<br>
>>>> the author. And then he is arguing about sanitation of data fields,<br>
>>>> which Theme Review clearly says to do them (esc_html, esc_attr,etc).<br>
>>>> Someone please enlighten me here.<br>
>>><br>
>>> He's right about the escaping, for the most part. Text areas should<br>
>>> use esc_textarea for sanitization, not esc_html. Similarly, a URL<br>
>>> should use esc_url. Use the correct escape function for the correct<br>
>>> purpose.<br>
>>><br>
>>><br>
>>> -Otto<br>
>>> _______________________________________________<br>
>>> theme-reviewers mailing list<br>
>>> <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
>>> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
>><br>
>><br>
>><br>
>> --<br>
>> cmans<br>
>> _______________________________________________<br>
>> theme-reviewers mailing list<br>
>> <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
>> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
> _______________________________________________<br>
> theme-reviewers mailing list<br>
> <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
> <a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br>
<br>
<br>
--<br>
cmans<br>
_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
</div></div></blockquote></div><br>
</div></div><br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>