[theme-reviewers] need your opinion

Kirk Wight kwight at kwight.ca
Thu Aug 16 14:56:12 UTC 2012


So including options that are not functional until activation is not
allowed, but having a basic theme that points to a more functional version
for sale is allowed? Just want to make sure I understand what the guy did
wrong (I thought it was fine because he was clear about what worked and
what didn't).

On 16 August 2012 10:28, Chandra Maharzan <maharzan at gmail.com> wrote:

> Thanks Otto for explaining. Now, I get it. I have been looking into
> Mark Jaquith's video too. :)
>
> And thanks for taking action on the themes. I don't even want to
> mention what I have been through with this guy.
>
> On Thu, Aug 16, 2012 at 8:09 PM, Otto <otto at ottodestruct.com> wrote:
> > No, he does escape, just not using esc_html.
> >
> > Use the right function for the right case. If it's inside a <textarea>
> > then you must use esc_textarea. If it's in an HTML tag as an
> > attribute, then you must use esc_attr. If it's a URL of any sort to be
> > printed out, then you must use esc_url.
> >
> > All these are valid, but they handle different cases. The problem
> > isn't to "use esc_html", it's to use the proper sanitization function
> > for the way that the output is being used.
> >
> > Oh, and his crippleware technique is definitely not allowed.
> >
> > I've suspended these themes for the same basic behaviors:
> > http://wordpress.org/extend/themes/adventure
> > http://wordpress.org/extend/themes/adventure-bound-basic
> >
> > -Otto
> >
> >
> > On Thu, Aug 16, 2012 at 9:19 AM, Chandra Maharzan <maharzan at gmail.com>
> wrote:
> >> Thanks for chiming in Otto. It doesn't escape HTML (which aren't
> >> needed in his case). Doesn't that allow injecting ? And he is using
> >> textarea for which textbox could have been used such as URL, or
> >> activation code.
> >>
> >> On Thu, Aug 16, 2012 at 8:01 PM, Otto <otto at ottodestruct.com> wrote:
> >>> On Thu, Aug 16, 2012 at 1:27 AM, Chandra Maharzan <maharzan at gmail.com>
> wrote:
> >>>> He has Theme options but it doesn't work unless people activate (pay)
> >>>> the author. And then he is arguing about sanitation of data fields,
> >>>> which Theme Review clearly says to do them (esc_html, esc_attr,etc).
> >>>> Someone please enlighten me here.
> >>>
> >>> He's right about the escaping, for the most part. Text areas should
> >>> use esc_textarea for sanitization, not esc_html. Similarly, a URL
> >>> should use esc_url. Use the correct escape function for the correct
> >>> purpose.
> >>>
> >>>
> >>> -Otto
> >>> _______________________________________________
> >>> theme-reviewers mailing list
> >>> theme-reviewers at lists.wordpress.org
> >>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
> >>
> >>
> >>
> >> --
> >> cmans
> >> _______________________________________________
> >> theme-reviewers mailing list
> >> theme-reviewers at lists.wordpress.org
> >> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
> > _______________________________________________
> > theme-reviewers mailing list
> > theme-reviewers at lists.wordpress.org
> > http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
>
> --
> cmans
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20120816/12a339f8/attachment-0001.htm>


More information about the theme-reviewers mailing list