[theme-reviewers] Fwd: Escaping JS
Otto
otto at ottodestruct.com
Sat Dec 7 10:34:04 UTC 2013
If it's intended to be allowed to output code, then there's really no
escaping to be done on it.
I'd say that for security reasons, you would probably want to make sure the
user has the edit_themes capability to be allowed to edit that field. You
could do this by adding 'capability' => 'edit_themes' to the add_setting
call.
But you wouldn't escape the output since that would negate the code.
Escaping is for preventing that sort of thing, not for allowing it.
-Otto
On Sat, Dec 7, 2013 at 4:05 AM, Ola Łączek <ola at bodera.com> wrote:
> Hello!
>
> Could somebody help me with that? Or point me in the right direction?
> Thanks in advance!
>
> ---------- Forwarded message ----------
> From: Ola Łączek <ola at bodera.com>
> Date: Thu, Dec 5, 2013 at 6:10 PM
> Subject: Escaping JS
> To: theme-reviewers at lists.wordpress.org
>
>
> Hello!
>
> I'm reviewing a theme that has a field in customizer to input block of
> Java Script code to be outputted in the header. I'm wondering what would be
> the proper way of escaping that code on output, since esc_js() function
> doesn't cover it?
>
> Best regards,
> Ola Laczek
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20131207/6aa54116/attachment-0001.html>
More information about the theme-reviewers
mailing list