Thanks Otto!<span></span><br><br>On Saturday, August 30, 2014, Otto <<a href="mailto:otto@ottodestruct.com">otto@ottodestruct.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">This isn't complicated. Really. :)<div><br></div><div>You don't *have* to escape core functions like this, but you should, just to get into the habit of it.</div><div><br></div><div>Imagine a situation where a rogue plugin slipped past our filters and did bad things. It would be nice to be immune, no?</div>


<div><br></div><div>Not saying that is possible, or even likely, but it doesn't hurt to always escape output properly. At minimum, it makes you think about what the content could be, and in what context it resides, and how it should be displayed. </div>


<div><br></div><div>It doesn't hurt. In weird and rare situations it might help. But, it should not be something that reviewers ding you on. I mean, c'mon.</div><div><br></div></div><div class="gmail_extra"><br clear="all">


<div>-Otto</div>
<br><br><div class="gmail_quote">On Fri, Aug 29, 2014 at 11:51 PM, Emil Uzelac <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','emil@uzelac.me');" target="_blank">emil@uzelac.me</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div dir="ltr"><div class="gmail_default"><font face="courier new, monospace">esc_url</font><span style="font-family:arial,helvetica,sans-serif"> will check first and clean when needed: <a href="https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/formatting.php#L2875" target="_blank">https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/formatting.php#L2875</a>. </span></div>



<div class="gmail_default"><span style="font-family:arial,helvetica,sans-serif"><br></span></div><div class="gmail_default"><span style="font-family:arial,helvetica,sans-serif">Related and also to append on my previous messages: </span><font face="arial, helvetica, sans-serif"><a href="https://core.trac.wordpress.org/changeset/23527/trunk" target="_blank">https://core.trac.wordpress.org/changeset/23527/trunk</a></font></div>



<div class="gmail_default"><font face="arial, helvetica, sans-serif"><br></font></div><div class="gmail_default"><font face="arial, helvetica, sans-serif">See: </font></div><div class="gmail_default"><ul><li><span style="font-family:arial,helvetica,sans-serif"><a href="https://core.trac.wordpress.org/ticket/20771" target="_blank">https://core.trac.wordpress.org/ticket/20771</a></span><br>



</li><li><span style="font-family:arial,helvetica,sans-serif"><a href="http://codex.wordpress.org/Data_Validation" target="_blank">http://codex.wordpress.org/Data_Validation</a></span><br></li></ul><div><font face="arial, helvetica, sans-serif"><br>



</font></div><div><font face="arial, helvetica, sans-serif">Otto or Justin are more suitable to answer in details :)</font></div><div><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div>


On Fri, Aug 29, 2014 at 10:54 PM, Dane Morgan <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','dane@danemorganmedia.com');" target="_blank">dane@danemorganmedia.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>

<div bgcolor="#FFFFFF" text="#000000">Is there a list somewhere 
of what is an is not escaped?<br>
<br>
What happens if you escape something that is already escaped? Nothing 
horrible, right?<div><br>
<br>
Zack Tollman wrote:
<blockquote type="cite">It's SO not escaped.</blockquote>
<br>
</div><span><font color="#888888"><div>-- <br>
<div>Sent with <a href="http://www.getpostbox.com" target="_blank"><span style="color:rgb(51,102,153)">Postbox</span></a></div></div>
</font></span></div>
<br></div></div><div>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="javascript:_e(%7B%7D,'cvml','theme-reviewers@lists.wordpress.org');" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></div></blockquote></div><br></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="javascript:_e(%7B%7D,'cvml','theme-reviewers@lists.wordpress.org');" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>
</blockquote>