[theme-reviewers] Escaping JS

[Konstantin Kovshenin]

The unfiltered_html might be a good cap to check against.

On Saturday, December 7, 2013, Otto wrote:

> If it's intended to be allowed to output code, then there's really no
> escaping to be done on it.
>
> I'd say that for security reasons, you would probably want to make sure
> the user has the edit_themes capability to be allowed to edit that field.
> You could do this by adding 'capability' => 'edit_themes' to the
> add_setting call.
>
> But you wouldn't escape the output since that would negate the code.
> Escaping is for preventing that sort of thing, not for allowing it.
>
> -Otto
>
>
> On Sat, Dec 7, 2013 at 4:05 AM, Ola Łączek <ola at bodera.com<javascript:_e({}, 'cvml', 'ola at bodera.com');>
> > wrote:
>
>> Hello!
>>
>> Could somebody help me with that? Or point me in the right direction?
>> Thanks in advance!
>>
>> ---------- Forwarded message ----------
>> From: Ola Łączek <ola at bodera.com <javascript:_e({}, 'cvml',
>> 'ola at bodera.com');>>
>> Date: Thu, Dec 5, 2013 at 6:10 PM
>> Subject: Escaping JS
>> To: theme-reviewers at lists.wordpress.org <javascript:_e({}, 'cvml',
>> 'theme-reviewers at lists.wordpress.org');>
>>
>>
>> Hello!
>>
>> I'm reviewing a theme that has a field in customizer to input block of
>> Java Script code to be outputted in the header. I'm wondering what would be
>> the proper way of escaping that code on output, since esc_js() function
>> doesn't cover it?
>>
>> Best regards,
>> Ola Laczek
>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org <javascript:_e({}, 'cvml',
>> 'theme-reviewers at lists.wordpress.org');>
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>

-- 
Konstantin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20131207/2bd6d569/attachment.html>