<div dir="ltr">That function is `the_permalink()`, which concludes by calling and escaping `get_permalink()`: <a href="https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L22">https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L22</a>. `get_permalink()`, on the other hand, is never escaped: <a href="https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L112">https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L112</a></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 29, 2014 at 5:25 PM, Emil Uzelac <span dir="ltr"><<a href="mailto:emil@uzelac.me" target="_blank">emil@uzelac.me</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">No, get_permalink is escaped: <a href="https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L14" target="_blank">https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L14</a>  </div>

</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 29, 2014 at 7:22 PM, Zack Tollman <span dir="ltr"><<a href="mailto:tollmanz@gmail.com" target="_blank">tollmanz@gmail.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">`the_permalink()` is escaped, but `get_permalink()` (or the newer `get_the_permalink()`) is not escaped and still needs to be escaped.</div>

<div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 29, 2014 at 4:31 PM, Emil Uzelac <span dir="ltr"><<a href="mailto:emil@uzelac.me" target="_blank">emil@uzelac.me</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">And get_permalink does not need one, because it already exist here: <a href="https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L0" target="_blank">https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L0</a></div>



</div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 29, 2014 at 6:30 PM, Emil Uzelac <span dir="ltr"><<a href="mailto:emil@uzelac.me" target="_blank">emil@uzelac.me</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div class="gmail_default"><font face="arial, helvetica, sans-serif">Needs an escape and trailingslash as well <a href="http://codex.wordpress.org/Function_Reference/home_url" target="_blank">http://codex.wordpress.org/Function_Reference/home_url</a></font><br>




</div><div class="gmail_default"><font face="arial, helvetica, sans-serif"><br></font></div><div class="gmail_default"><font face="arial, helvetica, sans-serif"><?php echo esc_url( home_url( '/' ) ); ?><br>




</font></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 29, 2014 at 6:26 PM, Yentl Bresseleers <span dir="ltr"><<a href="mailto:hello@design311.com" target="_blank">hello@design311.com</a>></span> wrote:<br>




<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Why doesn't home_url() does it for you then?On 30/08/2014 01:25, Tom wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I believe get_permalink() does it for you.<br>
<br>
-----Original Message-----<br>
From: theme-reviewers [mailto:<a href="mailto:theme-reviewers-bounces@lists.wordpress.org" target="_blank">theme-reviewers-<u></u>bounces@lists.wordpress.org</a>]<br>
On Behalf Of Yentl Bresseleers<br>
Sent: Friday, August 29, 2014 4:24 PM<br>
To: Discussion list for WordPress theme reviewers.<br>
Subject: [theme-reviewers] esc_url() for all links?<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Themes are required to escape all untrusted links before output using<br>
esc_url(). Escape home_url() in header.php and other similar links<br>
used elsewhere.<br>
</blockquote>
Does that mean we have to pass all links through esc_url()? Even<br>
the_permalink()?<br>
<br>
      echo esc_url(get_permalink());<br>
<br>
Rather than:<br>
<br>
      the_permalink() ?<br>
______________________________<u></u>_________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.<u></u>wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/<u></u>mailman/listinfo/theme-<u></u>reviewers</a><br>
<br>
______________________________<u></u>_________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.<u></u>wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/<u></u>mailman/listinfo/theme-<u></u>reviewers</a><br>
</blockquote>
<br>
______________________________<u></u>_________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.<u></u>wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/<u></u>mailman/listinfo/theme-<u></u>reviewers</a><br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>