The unfiltered_html might be a good cap to check against.<span></span><br><br>On Saturday, December 7, 2013, Otto wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">If it's intended to be allowed to output code, then there's really no escaping to be done on it. <div><br></div><div>I'd say that for security reasons, you would probably want to make sure the user has the edit_themes capability to be allowed to edit that field. You could do this by adding 'capability' => 'edit_themes' to the add_setting call.</div>
<div><br></div><div>But you wouldn't escape the output since that would negate the code. Escaping is for preventing that sort of thing, not for allowing it.<div><br></div><div class="gmail_extra"><div>-Otto</div>
<br><br><div class="gmail_quote">On Sat, Dec 7, 2013 at 4:05 AM, Ola Łączek <span dir="ltr"><<a href="javascript:_e({}, 'cvml', 'ola@bodera.com');" target="_blank">ola@bodera.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">Hello!<div><br></div><div>Could somebody help me with that? Or point me in the right direction?</div><div>Thanks in advance!</div><div><div><div><div dir="ltr"><div><br></div></div></div><div><div class="gmail_quote">
---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Ola Łączek</b> <span dir="ltr"><<a href="javascript:_e({}, 'cvml', 'ola@bodera.com');" target="_blank">ola@bodera.com</a>></span><br>
Date: Thu, Dec 5, 2013 at 6:10 PM<br>
Subject: Escaping JS<br>
To: <a href="javascript:_e({}, 'cvml', 'theme-reviewers@lists.wordpress.org');" target="_blank">theme-reviewers@lists.wordpress.org</a><br><br><br><div dir="ltr">Hello!<div><br></div><div>I'm reviewing a theme that has a field in customizer to input block of Java Script code to be outputted in the header. I'm wondering what would be the proper way of escaping that code on output, since esc_js() function doesn't cover it? </div>
<div><br></div><div>Best regards,</div><div>Ola Laczek</div></div>
</div><br></div></div></div></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="javascript:_e({}, 'cvml', 'theme-reviewers@lists.wordpress.org');" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div></div></div>
</blockquote><br><br>-- <br>Konstantin<br>