<div dir="ltr">So I would take that to mean that the output of the get_home_url filter should be escaped.<div><br></div><div>Themes can't fix or provide a prophylactic for every conceivable way for a user to bork a site; where is the appropriate place to draw the line?</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Sep 12, 2013 at 3:56 PM, Kirk Wight <span dir="ltr"><<a href="mailto:kwight@kwight.ca" target="_blank">kwight@kwight.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Note that get_home_url() (which is used by home_url()) is filterable, so technically we have no idea what's going to come through; using esc_url(), even if not required, will always be a good idea.</div>
<div class="HOEnZb"><div class="h5">

<div class="gmail_extra"><br><br><div class="gmail_quote">On 12 September 2013 15:30, Zulfikar Nore <span dir="ltr"><<a href="mailto:zulfikarnore@live.com" target="_blank">zulfikarnore@live.com</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div><div dir="ltr">Thanks for the clarification Chip - Noted :)<br><br><div><hr>Date: Thu, 12 Sep 2013 14:32:55 -0400<br>From: <a href="mailto:chip@chipbennett.net" target="_blank">chip@chipbennett.net</a><br>To: <a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>


Subject: Re: [theme-reviewers] home_url('/') VS esc_url(home_url('/'))  Clarification<div><div><br><br><div dir="ltr">I would consider it as *recommended*, since home_url() isn't explicitly user-configurable. At the very least, if it's considered as *required*, then it is minor enough to leave until the next revision.</div>



<div><br><br><div>On Thu, Sep 12, 2013 at 2:30 PM, Zulfikar Nore <span dir="ltr"><<a href="mailto:zulfikarnore@live.com" target="_blank">zulfikarnore@live.com</a>></span> wrote:<br>
<blockquote style="border-left:1px #ccc solid;padding-left:1ex">


<div><div dir="ltr">As this page: <a href="http://make.wordpress.org/themes/guidelines/guidelines-theme-security-and-privacy/" target="_blank">http://make.wordpress.org/themes/guidelines/guidelines-theme-security-and-privacy/</a> has since changed I thought I'd ask just to be clear I understand the requirements.<div>



<br></div><div>Is esc_url for home_url a requirement or recommended? This page: <a href="http://codex.wordpress.org/Data_Validation" style="font-size:12pt" target="_blank">http://codex.wordpress.org/Data_Validation</a> does not state explicitly that it is a requirement.</div>



<div><br></div><div>So if its a requirement - is it a must fix requirement or can it be a fix in next revision requirement?</div><div><br></div><div>Thanks in advance,</div><div>Zulf</div>                                      </div></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________
theme-reviewers mailing list
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a></div></div></div>                                         </div></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>