[theme-reviewers] need your opinion
Otto
otto at ottodestruct.com
Thu Aug 16 14:24:23 UTC 2012
No, he does escape, just not using esc_html.
Use the right function for the right case. If it's inside a <textarea>
then you must use esc_textarea. If it's in an HTML tag as an
attribute, then you must use esc_attr. If it's a URL of any sort to be
printed out, then you must use esc_url.
All these are valid, but they handle different cases. The problem
isn't to "use esc_html", it's to use the proper sanitization function
for the way that the output is being used.
Oh, and his crippleware technique is definitely not allowed.
I've suspended these themes for the same basic behaviors:
http://wordpress.org/extend/themes/adventure
http://wordpress.org/extend/themes/adventure-bound-basic
-Otto
On Thu, Aug 16, 2012 at 9:19 AM, Chandra Maharzan <maharzan at gmail.com> wrote:
> Thanks for chiming in Otto. It doesn't escape HTML (which aren't
> needed in his case). Doesn't that allow injecting ? And he is using
> textarea for which textbox could have been used such as URL, or
> activation code.
>
> On Thu, Aug 16, 2012 at 8:01 PM, Otto <otto at ottodestruct.com> wrote:
>> On Thu, Aug 16, 2012 at 1:27 AM, Chandra Maharzan <maharzan at gmail.com> wrote:
>>> He has Theme options but it doesn't work unless people activate (pay)
>>> the author. And then he is arguing about sanitation of data fields,
>>> which Theme Review clearly says to do them (esc_html, esc_attr,etc).
>>> Someone please enlighten me here.
>>
>> He's right about the escaping, for the most part. Text areas should
>> use esc_textarea for sanitization, not esc_html. Similarly, a URL
>> should use esc_url. Use the correct escape function for the correct
>> purpose.
>>
>>
>> -Otto
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
>
> --
> cmans
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
More information about the theme-reviewers
mailing list