<div dir="ltr"><div><div><div>HI Ulrich <br><br><br></div>Thanks for the answer. I will ask users to do this as a required one.<br><br></div>Thanks<br></div>Priyanshu<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 3, 2014 at 7:39 PM, Ulrich Pogson <span dir="ltr"><<a href="mailto:grapplerulrich@gmail.com" target="_blank">grapplerulrich@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It is required to escape all data before being outputted anywhere in the theme. Security is the top priority.</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 3 October 2014 15:51, priyanshu mittal <span dir="ltr"><<a href="mailto:priyanshu.mittal@gmail.com" target="_blank">priyanshu.mittal@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Here is my ticket url: <a href="https://themes.trac.wordpress.org/ticket/21002" target="_blank">https://themes.trac.wordpress.org/ticket/21002</a><br><br></div><div>I have already sanitized the favicon url before saving it to the database.<br><br></div><div>My Question is do I still need to call the esc_url while outputing it in the html. Is this required or recommended.<br><br></div><div>The main reason I am asking is because recently I am also reviewing a theme which has similar type of code format.<br><br></div><div>So required or recommended?<br><br><br></div><div>Thanks<span><font color="#888888"><br>Priyanshu<br></font></span></div><div><br></div><br></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 3, 2014 at 6:57 PM, Justin Tadlock <span dir="ltr"><<a href="mailto:justin@justintadlock.com" target="_blank">justin@justintadlock.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>We would never have anything so specific as to use `esc_url()` in the guidelines. You'd need to use the most appropriate function for the job. If dealing with URLs, `esc_url()` will usually be your best bet. Questions such as this are better handled by looking at the specific case though. Generic answers/solutions are rarely a good idea when talking about sanitizing, validating, and/or escaping.</div><div><br></div><div>Here's the guideline:</div><div><br></div><div>"Themes are required to validate and sanitize all untrusted data before entering data into the database, and to escape all untrusted data before being output in the Settings form fields or in the Theme template files (see: Data Validation)"</div><div><br></div><div>See: <a href="https://make.wordpress.org/themes/handbook/guidelines/theme-security-and-privacy/" target="_blank">https://make.wordpress.org/themes/handbook/guidelines/theme-security-and-privacy/</a></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Fri, Oct 3, 2014 at 8:04 AM, priyanshu mittal <span dir="ltr"><<a href="mailto:priyanshu.mittal@gmail.com" target="_blank">priyanshu.mittal@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr"><div><div><div>Hi<br><br></div>Is that mandatory to use esc_url in the themes. If yes can you provide me the link where it has been mentioned.<br><br></div>Thanks<span><font color="#888888"><br></font></span></div><span><font color="#888888">Priyanshu<br></font></span></div>
<br></div></div>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br></div>