<html><head>

<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">

</head><body bgcolor="#FFFFFF" text="#000000">Yes, Thank you Otto and 

Zach.<br>

<br>

<blockquote style="border: 0px none;" 

cite="mid:CAEytdhdL0RaT1LEEU2ize3yrKtjTp=pdrpU0uXCOCL0c3UTN+A@mail.gmail.com"

 type="cite">

  <div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div 

style="display:table;width:100%;border-top:1px solid 

#EDEEF0;padding-top:5px">       <div 

style="display:table-cell;vertical-align:middle;padding-right:6px;"><img

 photoaddress="emil@uzelac.me" photoname="Emil Uzelac" 

src="cid:part1.04030500.05060804@danemorganmedia.com" 

name="postbox-contact.jpg" height="25px" width="25px"></div>   <div 

style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">

        <a moz-do-not-send="true" href="mailto:emil@uzelac.me" 

style="color:#737F92 

!important;padding-right:6px;font-weight:bold;text-decoration:none 

!important;">Emil Uzelac</a></div>   <div 

style="display:table-cell;white-space:nowrap;vertical-align:middle;">   

  <font color="#9FA2A5"><span style="padding-left:6px">Saturday, August 

30, 2014 00:35</span></font></div></div></div>

  <div style="color:#888888;margin-left:24px;margin-right:24px;" 

__pbrmquotes="true" class="__pbConvBody">Thanks Otto!<span></span><br><br>On

 Saturday, August 30, 2014, Otto <<a moz-do-not-send="true" 

href="mailto:otto@ottodestruct.com">otto@ottodestruct.com</a>> wrote:<br>

<div>_______________________________________________<br>theme-reviewers 

mailing list<br><a class="moz-txt-link-abbreviated" href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br><a class="moz-txt-link-freetext" href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br></div></div>

  <div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div 

style="display:table;width:100%;border-top:1px solid 

#EDEEF0;padding-top:5px">       <div 

style="display:table-cell;vertical-align:middle;padding-right:6px;"><img

 photoaddress="otto@ottodestruct.com" photoname="Otto" 

src="cid:part2.02040605.00000903@danemorganmedia.com" 

name="postbox-contact.jpg" height="25px" width="25px"></div>   <div 

style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">

        <a moz-do-not-send="true" href="mailto:otto@ottodestruct.com" 

style="color:#737F92 

!important;padding-right:6px;font-weight:bold;text-decoration:none 

!important;">Otto</a></div>   <div 

style="display:table-cell;white-space:nowrap;vertical-align:middle;">   

  <font color="#9FA2A5"><span style="padding-left:6px">Saturday, August 

30, 2014 00:18</span></font></div></div></div>

  <div style="color:#888888;margin-left:24px;margin-right:24px;" 

__pbrmquotes="true" class="__pbConvBody"><div dir="ltr">This isn't 

complicated. Really. :)<div><br></div><div>You don't *have* to escape 

core functions like this, but you should, just to get into the habit of 

it.</div><div><br></div><div>Imagine a situation where a rogue plugin 

slipped past our filters and did bad things. It would be nice to be 

immune, no?</div>

<div><br></div><div>Not saying that is possible, or even likely, but it 

doesn't hurt to always escape output properly. At minimum, it makes you 

think about what the content could be, and in what context it resides, 

and how it should be displayed. </div>

<div><br></div><div>It doesn't hurt. In weird and rare situations it 

might help. But, it should not be something that reviewers ding you on. I

 mean, c'mon.</div><div><br></div></div><div class="gmail_extra"><br 

clear="all">

<div>-Otto</div>

<br><br><br></div>

<div>_______________________________________________<br>theme-reviewers 

mailing list<br><a class="moz-txt-link-abbreviated" href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br><a class="moz-txt-link-freetext" href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br></div></div>

  <div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div 

style="display:table;width:100%;border-top:1px solid 

#EDEEF0;padding-top:5px">       <div 

style="display:table-cell;vertical-align:middle;padding-right:6px;"><img

 photoaddress="emil@uzelac.me" photoname="Emil Uzelac" 

src="cid:part1.04030500.05060804@danemorganmedia.com" 

name="postbox-contact.jpg" height="25px" width="25px"></div>   <div 

style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">

        <a moz-do-not-send="true" href="mailto:emil@uzelac.me" 

style="color:#737F92 

!important;padding-right:6px;font-weight:bold;text-decoration:none 

!important;">Emil Uzelac</a></div>   <div 

style="display:table-cell;white-space:nowrap;vertical-align:middle;">   

  <font color="#9FA2A5"><span style="padding-left:6px">Friday, August 

29, 2014 23:51</span></font></div></div></div>

  <div style="color:#888888;margin-left:24px;margin-right:24px;" 

__pbrmquotes="true" class="__pbConvBody"><div dir="ltr"><div 

class="gmail_default"><font face="courier new, monospace">esc_url</font><span

 style="font-family:arial,helvetica,sans-serif"> will check first and 

clean when needed: <a moz-do-not-send="true" 

href="https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/formatting.php#L2875">https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/formatting.php#L2875</a>. </span></div>

<div class="gmail_default"><span 

style="font-family:arial,helvetica,sans-serif"><br></span></div><div 

class="gmail_default"><span 

style="font-family:arial,helvetica,sans-serif">Related and also to 

append on my previous messages: </span><font face="arial, helvetica, 

sans-serif"><a moz-do-not-send="true" 

href="https://core.trac.wordpress.org/changeset/23527/trunk">https://core.trac.wordpress.org/changeset/23527/trunk</a></font></div>

<div class="gmail_default"><font face="arial, helvetica, sans-serif"><br></font></div><div

 class="gmail_default"><font face="arial, helvetica, sans-serif">See: </font></div><div

 class="gmail_default"><ul><li><span 

style="font-family:arial,helvetica,sans-serif"><a moz-do-not-send="true"

 href="https://core.trac.wordpress.org/ticket/20771">https://core.trac.wordpress.org/ticket/20771</a></span><br>

</li><li><span style="font-family:arial,helvetica,sans-serif"><a 

moz-do-not-send="true" href="http://codex.wordpress.org/Data_Validation">http://codex.wordpress.org/Data_Validation</a></span><br></li></ul><div><font

 face="arial, helvetica, sans-serif"><br>

</font></div><div><font face="arial, helvetica, sans-serif">Otto or 

Justin are more suitable to answer in details :)</font></div><div><br></div></div></div><div

 class="gmail_extra"><br><br><br></div>

<div>_______________________________________________<br>theme-reviewers 

mailing list<br><a class="moz-txt-link-abbreviated" href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br><a class="moz-txt-link-freetext" href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br></div></div>

  <div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div 

style="display:table;width:100%;border-top:1px solid 

#EDEEF0;padding-top:5px">       <div 

style="display:table-cell;vertical-align:middle;padding-right:6px;"><img

 photoaddress="dane@danemorganmedia.com" photoname="Dane Morgan" 

src="cid:part4.08050904.06030407@danemorganmedia.com" 

name="postbox-contact.jpg" height="25px" width="25px"></div>   <div 

style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">

        <a moz-do-not-send="true" href="mailto:dane@danemorganmedia.com" 

style="color:#737F92 

!important;padding-right:6px;font-weight:bold;text-decoration:none 

!important;">Dane Morgan</a></div>   <div 

style="display:table-cell;white-space:nowrap;vertical-align:middle;">   

  <font color="#9FA2A5"><span style="padding-left:6px">Friday, August 

29, 2014 22:54</span></font></div></div></div>

  <div style="color:#888888;margin-left:24px;margin-right:24px;" 

__pbrmquotes="true" class="__pbConvBody">

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

Is there a list somewhere 

of what is an is not escaped?<br>

<br>

What happens if you escape something that is already escaped? Nothing 

horrible, right?<br>

<br>

<br>

  </div>

  <div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div 

style="display:table;width:100%;border-top:1px solid 

#EDEEF0;padding-top:5px">       <div 

style="display:table-cell;vertical-align:middle;padding-right:6px;"><img

 photoaddress="tollmanz@gmail.com" photoname="Zack Tollman" 

src="cid:part5.05080301.07070309@danemorganmedia.com" 

name="postbox-contact.jpg" height="25px" width="25px"></div>   <div 

style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">

        <a moz-do-not-send="true" href="mailto:tollmanz@gmail.com" 

style="color:#737F92 

!important;padding-right:6px;font-weight:bold;text-decoration:none 

!important;">Zack Tollman</a></div>   <div 

style="display:table-cell;white-space:nowrap;vertical-align:middle;">   

  <font color="#9FA2A5"><span style="padding-left:6px">Friday, August 

29, 2014 19:46</span></font></div></div></div>

  <div style="color:#888888;margin-left:24px;margin-right:24px;" 

__pbrmquotes="true" class="__pbConvBody"><div dir="ltr">Are you trolling

 me, Emil? ;)<div><br></div><div>`get_the_permalink()` was added in 

3.9.0 to be more consistent with other template tags (e.g., 

`get_the_title()`, not `get_title()`). It is just a synonym for 

`get_permalink()`. You shouldn't use it for themes unless you plan to 

not support < 3.9.0. You can see it in all its glory here: <a 

moz-do-not-send="true" 

href="https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L99">https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L99</a>.</div>

<div><br></div><div>Here is `get_permalink()`: <a moz-do-not-send="true"

href="https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L112">https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L112</a>.

 The function concludes with: <a moz-do-not-send="true" 

href="https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L231">https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L231</a>.

 At no point is it escaped. When core uses the function for echoing to 

the screen, it escapes `get_permalink()` (<a moz-do-not-send="true" 

href="https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L22">https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L22</a>).</div>

<div><br></div><div>It's SO not escaped.</div></div><div 

class="gmail_extra"><br><br><br></div>

<div>_______________________________________________<br>theme-reviewers 

mailing list<br><a class="moz-txt-link-abbreviated" href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br><a class="moz-txt-link-freetext" href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br></div></div>

</blockquote>

<br>

<div class="moz-signature">-- <br>

<div>Sent with <a href="http://www.getpostbox.com"><span style="color: 

rgb(51, 102, 153);">Postbox</span></a></div></div>

</body></html>