<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I was just about to say the same thing. If you need a good example
of how to sanitize this based on the `unfiltered_html` cap, check
out the WordPress text widget in `wp-includes/default-widgets.php`.<br>
<br>
<div class="moz-cite-prefix">On 10/8/2013 3:29 PM, Konstantin
Kovshenin wrote:<br>
</div>
<blockquote
cite="mid:CAO0J9CrEhrMTocP5PBAcyBvRfQ_BCL0Pq1KX0E5VhpkonKBcyw@mail.gmail.com"
type="cite">
<div dir="ltr">> <span
style="font-family:arial,sans-serif;font-size:13px">a feature
in my theme allows user to enter javascript</span>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div>
<font face="arial, sans-serif">Run it through kses on input,
also a good idea to check for current_user_can(
'unfiltered_html' ); before even showing the option. Note
that there are some environments where unfiltered html
(including js, etc) is disabled *for all users* including
admins and super admins.</font></div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Oct 9, 2013 at 12:22 AM,
Srikanth Koneru <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:tskk79@gmail.com" target="_blank">tskk79@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">The header footer js codes that are inserted
via theme options, do they need to be escaped at all and
if so how to do it?<br>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Oct 9, 2013 at 1:50
AM, Rohit Tripathi <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rohitink@live.com" target="_blank">rohitink@live.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div dir="ltr">Thanks Chip. :)<br>
<br>
<div>
<hr>Date: Tue, 8 Oct 2013 16:18:09 -0400<br>
From: <a moz-do-not-send="true"
href="mailto:chip@chipbennett.net"
target="_blank">chip@chipbennett.net</a>
<div>
<div><br>
To: <a moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org"
target="_blank">theme-reviewers@lists.wordpress.org</a><br>
Subject: Re: [theme-reviewers]
Sanitizing Output<br>
<br>
<div dir="ltr">The general rule is:
sanitize on input, escape on output.</div>
<div><br>
<br>
<div>On Tue, Oct 8, 2013 at 4:00 PM,
Rohit Tripathi <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rohitink@live.com"
target="_blank">rohitink@live.com</a>></span>
wrote:<br>
<blockquote style="border-left:1px
#ccc solid;padding-left:1ex">
<div>
<div dir="ltr">Yes, I have
escaped all the Urls. That's
done.<br>
<br>
But, a feature in my theme
allows user to enter
javascript or html through the
theme options panel, which is
sanitized on input. So, I hope
I don't have to sanitize it on
the output. Because, if i use
functions like esc_html or
esc_js on them, then the whole
point of letting theme enter
js/html is lost. So, if i have
to sanitize them on output,
how do i do that?
<div>
<br>
</div>
<div>Thanks.<br>
<div><br>
<div>
<hr>Date: Tue, 8 Oct
2013 21:57:44 +0200<br>
From: <a
moz-do-not-send="true"
href="mailto:grapplerulrich@gmail.com" target="_blank">grapplerulrich@gmail.com</a><br>
To: <a
moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
Subject: Re:
[theme-reviewers]
Sanitizing Output
<div>
<div><br>
<br>
<p dir="ltr">No, but
it is good to
escape it. </p>
<div>On 8 Oct 2013
21:54, "Rohit
Tripathi" <<a
moz-do-not-send="true"
href="mailto:rohitink@live.com" target="_blank">rohitink@live.com</a>>
wrote:<br>
<blockquote
style="border-left:1px
#ccc
solid;padding-left:1ex">
<div>
<div dir="ltr">Hello.
<div><br>
</div>
<div>I am
using Options
Framework with
my theme. I
have properly
sanitized all
input using
all the
necessary
functions
including
wp_kses.</div>
<div><br>
</div>
<div>Is it
neccessary to
sanitize it on
the output?</div>
</div>
</div>
<br>
_______________________________________________<br>
theme-reviewers
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br>
</blockquote>
</div>
<br>
_______________________________________________
theme-reviewers
mailing list
<a
moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a>
<a
moz-do-not-send="true"
href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
theme-reviewers mailing list<br>
<a moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org"
target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a moz-do-not-send="true"
href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
_______________________________________________
theme-reviewers
mailing list
<a moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org"
target="_blank">theme-reviewers@lists.wordpress.org</a>
<a moz-do-not-send="true"
href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a></div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
theme-reviewers mailing list<br>
<a moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org"
target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a moz-do-not-send="true"
href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
theme-reviewers mailing list<br>
<a moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a moz-do-not-send="true"
href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Konstantin
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
theme-reviewers mailing list
<a class="moz-txt-link-abbreviated" href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a>
<a class="moz-txt-link-freetext" href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a>
</pre>
</blockquote>
<br>
</body>
</html>