[theme-reviewers] need your opinion

Chandra Maharzan maharzan at gmail.com
Thu Aug 16 14:19:49 UTC 2012


Thanks for chiming in Otto. It doesn't escape HTML (which aren't
needed in his case). Doesn't that allow injecting ? And he is using
textarea for which textbox could have been used such as URL, or
activation code.

On Thu, Aug 16, 2012 at 8:01 PM, Otto <otto at ottodestruct.com> wrote:
> On Thu, Aug 16, 2012 at 1:27 AM, Chandra Maharzan <maharzan at gmail.com> wrote:
>> He has Theme options but it doesn't work unless people activate (pay)
>> the author. And then he is arguing about sanitation of data fields,
>> which Theme Review clearly says to do them (esc_html, esc_attr,etc).
>> Someone please enlighten me here.
>
> He's right about the escaping, for the most part. Text areas should
> use esc_textarea for sanitization, not esc_html. Similarly, a URL
> should use esc_url. Use the correct escape function for the correct
> purpose.
>
>
> -Otto
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers



-- 
cmans


More information about the theme-reviewers mailing list