<div dir="ltr">Late-escaping is great, except when it's overkill, and introduces a needless opportunity for exploit by omission.<div><br></div><div style>Which is easier/safer/more robust?</div><div style><br></div><div style>
1) Having all Themes call echo esc_url( home_url( '/' ) )</div><div style><br></div><div style>or </div><div style><br></div><div style>2) Replacing this:</div><div style><br></div><div style><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div style><span class="" style="font-weight:bold;color:rgb(68,68,68);font-family:monospace;font-size:11px">return</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">apply_filters</span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">(</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(187,136,68);font-family:monospace;font-size:11px">'home_url'</span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">,</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(0,128,128);font-family:monospace;font-size:11px">$url</span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">,</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(0,128,128);font-family:monospace;font-size:11px">$path</span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">,</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(0,128,128);font-family:monospace;font-size:11px">$orig_scheme</span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">,</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(0,128,128);font-family:monospace;font-size:11px">$blog_id</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">);</span></div>
</blockquote></div><div style><br></div><div style>...with this:</div><div style><br></div><div style><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div style><span class="" style="font-weight:bold;color:rgb(68,68,68);font-family:monospace;font-size:11px">return</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> esc_url( </span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">apply_filters</span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">(</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(187,136,68);font-family:monospace;font-size:11px">'home_url'</span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">,</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(0,128,128);font-family:monospace;font-size:11px">$url</span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">,</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(0,128,128);font-family:monospace;font-size:11px">$path</span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">,</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(0,128,128);font-family:monospace;font-size:11px">$orig_scheme</span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">,</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(0,128,128);font-family:monospace;font-size:11px">$blog_id</span><span style="color:rgb(68,68,68);font-family:monospace;font-size:11px"> </span><span class="" style="color:rgb(68,68,68);font-family:monospace;font-size:11px">) );</span></div>
</blockquote></div><div style><br></div><div style>I'm a big fan of late-escaping, but in this case, it's merely a means for Themes to clean up something that core should already be handling.</div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Wed, Jun 19, 2013 at 3:42 PM, Edward Caissie <span dir="ltr"><<a href="mailto:edward.caissie@gmail.com" target="_blank">edward.caissie@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>I would go with recommended as well ... and although a patch to core may be of benefit, I also agree with "late-escaping" as the most correct best practice.<br><br></div>To be honest I half-expected `get_home_url` to be escaping its output when I went digging into core and was surprised it wasn't.<span class="HOEnZb"><font color="#888888"><br>
</font></span></div><div class="gmail_extra"><span class="HOEnZb"><font color="#888888"><br clear="all"><div>Edward Caissie<br>aka Cais.</div></font></span><div><div class="h5">
<br><br><div class="gmail_quote">On Wed, Jun 19, 2013 at 3:40 PM, Chip Bennett <span dir="ltr"><<a href="mailto:chip@chipbennett.net" target="_blank">chip@chipbennett.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I'd prefer to see it as recommended, with a core patch to return escaped output.</div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jun 19, 2013 at 3:36 PM, Otto <span dir="ltr"><<a href="mailto:otto@ottodestruct.com" target="_blank">otto@ottodestruct.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On Wed, Jun 19, 2013 at 2:24 PM, Chip Bennett <<a href="mailto:chip@chipbennett.net" target="_blank">chip@chipbennett.net</a>> wrote:<br>
> Otto, I agree, but if it is something that is outside the Theme's control,<br>
> shouldn't it be incumbent upon core (which provides the related filter) to<br>
> escape the output?<br>
<br>
</div>I can see arguments for both sides of that one. Escaping immediately<br>
before output is safest. Late-escaping, basically.<br>
<br>
If you examine the core code currently (trunk), in all of the places I<br>
spot checked, when core uses home_url(), it runs it through esc_url()<br>
before outputting it. This is also the case for things like<br>
admin_url() and such.<br>
<br>
Twenty-eleven, twelve, and thirteen all esc_url( home_url() ).<br>
Twenty-ten notably did not.<br>
<br>
I would class it as recommended, possibly to move to required in a<br>
version or so?<br>
<span><font color="#888888"><br>
-Otto<br>
</font></span><div><div>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>