<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    I was just about to say the same thing.  If you need a good example
    of how to sanitize this based on the `unfiltered_html` cap, check
    out the WordPress text widget in `wp-includes/default-widgets.php`.<br>
    <br>
    <div class="moz-cite-prefix">On 10/8/2013 3:29 PM, Konstantin
      Kovshenin wrote:<br>
    </div>
    <blockquote
cite="mid:CAO0J9CrEhrMTocP5PBAcyBvRfQ_BCL0Pq1KX0E5VhpkonKBcyw@mail.gmail.com"
      type="cite">
      <div dir="ltr">> <span
          style="font-family:arial,sans-serif;font-size:13px">a feature
          in my theme allows user to enter javascript</span>
        <div><span style="font-family:arial,sans-serif;font-size:13px"><br>
          </span></div>
        <div>
          <font face="arial, sans-serif">Run it through kses on input,
            also a good idea to check for current_user_can(
            'unfiltered_html' ); before even showing the option. Note
            that there are some environments where unfiltered html
            (including js, etc) is disabled *for all users* including
            admins and super admins.</font></div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Wed, Oct 9, 2013 at 12:22 AM,
          Srikanth Koneru <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:tskk79@gmail.com" target="_blank">tskk79@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">The header footer js codes that are inserted
              via theme options, do they need to be escaped at all and
              if so how to do it?<br>
            </div>
            <div class="HOEnZb">
              <div class="h5">
                <div class="gmail_extra"><br>
                  <br>
                  <div class="gmail_quote">On Wed, Oct 9, 2013 at 1:50
                    AM, Rohit Tripathi <span dir="ltr"><<a
                        moz-do-not-send="true"
                        href="mailto:rohitink@live.com" target="_blank">rohitink@live.com</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div>
                        <div dir="ltr">Thanks Chip. :)<br>
                          <br>
                          <div>
                            <hr>Date: Tue, 8 Oct 2013 16:18:09 -0400<br>
                            From: <a moz-do-not-send="true"
                              href="mailto:chip@chipbennett.net"
                              target="_blank">chip@chipbennett.net</a>
                            <div>
                              <div><br>
                                To: <a moz-do-not-send="true"
                                  href="mailto:theme-reviewers@lists.wordpress.org"
                                  target="_blank">theme-reviewers@lists.wordpress.org</a><br>
                                Subject: Re: [theme-reviewers]
                                Sanitizing Output<br>
                                <br>
                                <div dir="ltr">The general rule is:
                                  sanitize on input, escape on output.</div>
                                <div><br>
                                  <br>
                                  <div>On Tue, Oct 8, 2013 at 4:00 PM,
                                    Rohit Tripathi <span dir="ltr"><<a
                                        moz-do-not-send="true"
                                        href="mailto:rohitink@live.com"
                                        target="_blank">rohitink@live.com</a>></span>
                                    wrote:<br>
                                    <blockquote style="border-left:1px
                                      #ccc solid;padding-left:1ex">
                                      <div>
                                        <div dir="ltr">Yes, I have
                                          escaped all the Urls. That's
                                          done.<br>
                                          <br>
                                          But, a feature in my theme
                                          allows user to enter
                                          javascript or html through the
                                          theme options panel, which is
                                          sanitized on input. So, I hope
                                          I don't have to sanitize it on
                                          the output. Because, if i use
                                          functions like esc_html or
                                          esc_js on them, then the whole
                                          point of letting theme enter
                                          js/html is lost. So, if i have
                                          to sanitize them on output,
                                          how do i do that?
                                          <div>
                                            <br>
                                          </div>
                                          <div>Thanks.<br>
                                            <div><br>
                                              <div>
                                                <hr>Date: Tue, 8 Oct
                                                2013 21:57:44 +0200<br>
                                                From: <a
                                                  moz-do-not-send="true"
href="mailto:grapplerulrich@gmail.com" target="_blank">grapplerulrich@gmail.com</a><br>
                                                To: <a
                                                  moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
                                                Subject: Re:
                                                [theme-reviewers]
                                                Sanitizing Output
                                                <div>
                                                  <div><br>
                                                    <br>
                                                    <p dir="ltr">No, but
                                                      it is good to
                                                      escape it. </p>
                                                    <div>On 8 Oct 2013
                                                      21:54, "Rohit
                                                      Tripathi" <<a
                                                        moz-do-not-send="true"
href="mailto:rohitink@live.com" target="_blank">rohitink@live.com</a>>
                                                      wrote:<br>
                                                      <blockquote
                                                        style="border-left:1px
                                                        #ccc
                                                        solid;padding-left:1ex">
                                                        <div>
                                                          <div dir="ltr">Hello.
                                                          <div><br>
                                                          </div>
                                                          <div>I am
                                                          using Options
                                                          Framework with
                                                          my theme. I
                                                          have properly
                                                          sanitized all
                                                          input using
                                                          all the
                                                          necessary
                                                          functions
                                                          including
                                                          wp_kses.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Is it
                                                          neccessary to
                                                          sanitize it on
                                                          the output?</div>
                                                          </div>
                                                        </div>
                                                        <br>
_______________________________________________<br>
                                                        theme-reviewers
                                                        mailing list<br>
                                                        <a
                                                          moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
                                                        <a
                                                          moz-do-not-send="true"
href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
                                                          target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
                                                        <br>
                                                      </blockquote>
                                                    </div>
                                                    <br>
                                                    _______________________________________________
theme-reviewers
                                                    mailing list
                                                    <a
                                                      moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a>
                                                    <a
                                                      moz-do-not-send="true"
href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
                                                      target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a></div>
                                                </div>
                                              </div>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                      <br>
_______________________________________________<br>
                                      theme-reviewers mailing list<br>
                                      <a moz-do-not-send="true"
                                        href="mailto:theme-reviewers@lists.wordpress.org"
                                        target="_blank">theme-reviewers@lists.wordpress.org</a><br>
                                      <a moz-do-not-send="true"
                                        href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
                                        target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
                                      <br>
                                    </blockquote>
                                  </div>
                                  <br>
                                </div>
                                <br>
                                _______________________________________________
theme-reviewers
                                mailing list
                                <a moz-do-not-send="true"
                                  href="mailto:theme-reviewers@lists.wordpress.org"
                                  target="_blank">theme-reviewers@lists.wordpress.org</a>
                                <a moz-do-not-send="true"
                                  href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
                                  target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a></div>
                            </div>
                          </div>
                        </div>
                      </div>
                      <br>
                      _______________________________________________<br>
                      theme-reviewers mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:theme-reviewers@lists.wordpress.org"
                        target="_blank">theme-reviewers@lists.wordpress.org</a><br>
                      <a moz-do-not-send="true"
                        href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
                        target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            theme-reviewers mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
            <a moz-do-not-send="true"
              href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
              target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        Konstantin
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
theme-reviewers mailing list
<a class="moz-txt-link-abbreviated" href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a>
<a class="moz-txt-link-freetext" href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>