[theme-reviewers] need your opinion
Chandra Maharzan
maharzan at gmail.com
Thu Aug 16 14:28:31 UTC 2012
Thanks Otto for explaining. Now, I get it. I have been looking into
Mark Jaquith's video too. :)
And thanks for taking action on the themes. I don't even want to
mention what I have been through with this guy.
On Thu, Aug 16, 2012 at 8:09 PM, Otto <otto at ottodestruct.com> wrote:
> No, he does escape, just not using esc_html.
>
> Use the right function for the right case. If it's inside a <textarea>
> then you must use esc_textarea. If it's in an HTML tag as an
> attribute, then you must use esc_attr. If it's a URL of any sort to be
> printed out, then you must use esc_url.
>
> All these are valid, but they handle different cases. The problem
> isn't to "use esc_html", it's to use the proper sanitization function
> for the way that the output is being used.
>
> Oh, and his crippleware technique is definitely not allowed.
>
> I've suspended these themes for the same basic behaviors:
> http://wordpress.org/extend/themes/adventure
> http://wordpress.org/extend/themes/adventure-bound-basic
>
> -Otto
>
>
> On Thu, Aug 16, 2012 at 9:19 AM, Chandra Maharzan <maharzan at gmail.com> wrote:
>> Thanks for chiming in Otto. It doesn't escape HTML (which aren't
>> needed in his case). Doesn't that allow injecting ? And he is using
>> textarea for which textbox could have been used such as URL, or
>> activation code.
>>
>> On Thu, Aug 16, 2012 at 8:01 PM, Otto <otto at ottodestruct.com> wrote:
>>> On Thu, Aug 16, 2012 at 1:27 AM, Chandra Maharzan <maharzan at gmail.com> wrote:
>>>> He has Theme options but it doesn't work unless people activate (pay)
>>>> the author. And then he is arguing about sanitation of data fields,
>>>> which Theme Review clearly says to do them (esc_html, esc_attr,etc).
>>>> Someone please enlighten me here.
>>>
>>> He's right about the escaping, for the most part. Text areas should
>>> use esc_textarea for sanitization, not esc_html. Similarly, a URL
>>> should use esc_url. Use the correct escape function for the correct
>>> purpose.
>>>
>>>
>>> -Otto
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>>
>> --
>> cmans
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
--
cmans
More information about the theme-reviewers
mailing list