[theme-reviewers] Sanitize Custom Css in Theme Options

Justin Tadlock justin at justintadlock.com
Mon Feb 4 18:02:35 UTC 2013 

Here's you a quick way to sanitize and validate colors (with hash) that 
I pulled from core:

$color = preg_replace( '|^#([A-Fa-f0-9]{3}){1,2}$|', '', $color );

You should also make sure your input elements only allow 6 or 7 (if 
you're expecting a hash mark) characters with the "maxlength" attribute.

On 2/4/2013 8:03 AM, Chip Bennett wrote:
> The rules regarding allowable functions are different for Themes and 
> Plugins. Plugins can use read/write functions such as 
> file_get_contents(), etc.; Themes cannot. So, csstidy() may be 
> appropriate for the JetPack Plugin, but it won't be for Themes.
>
> That said, you don't need anything that bulky anyway. All you *have* 
> to do is to ensure that it's not unsafe. For that, you could probably 
> use one of the WordPress KSES functions 
> <http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/kses.php#L0>, 
> such as wp_filter_kses() 
> <http://codex.wordpress.org/Function_Reference/wp_filter_kses>, inside 
> your register_setting() validation callback.
>
> Also, be sure your stand-alone Theme is approved prior to submitting 
> any Child Themes for it. One of the guidelines for Child Themes is 
> that its parent Theme must already be approved in the repository.
>
> Regards,
> Chip
>
>
> On Mon, Feb 4, 2013 at 8:04 AM, Ünsal Korkmaz <unsalkorkmaz at gmail.com 
> <mailto:unsalkorkmaz at gmail.com>> wrote:
>
>     Hi,
>     I released 1 parent
>     <http://themes.trac.wordpress.org/ticket/10967>, 1 child theme
>     <http://themes.trac.wordpress.org/ticket/11003> this week. These
>     are my first theme contribution to WordPress community so its my
>     first time i am submitting themes to directory. When i upload
>     parent theme from http://wordpress.org/extend/themes/upload/   i got
>     *WARNING: file_get_contents in class.csstidy_print.php* error and
>     system denied my theme automatically. I got csstidy codes from
>     Jetpack plugin's Custom Css
>     <http://jetpack.me/support/custom-css/> module but still system
>     didnt accept it. Basically custom css sanitizing is an important
>     subject in my opinion and there is no default wordpress function
>     like esc_attr()
>     <http://codex.wordpress.org/Function_Reference/esc_attr>.
>     Probably csstidy class is not best solution but it was best option
>     i had and it seems its not accepting in theme directory. So what
>     is best sanitizing custom css way for themes?
>
>
>     _______________________________________________
>     theme-reviewers mailing list
>     theme-reviewers at lists.wordpress.org
>     <mailto:theme-reviewers at lists.wordpress.org>
>     http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20130204/ceb9a419/attachment.htm>

More information about the theme-reviewers mailing list