[theme-reviewers] home_url clarification

Otto otto at ottodestruct.com
Wed Jun 19 19:22:09 UTC 2013


I would not say that it is required, but it doesn't hurt.

Thing about functions like home_url and such is that their output can
be manipulated via plugins or other code. So it's possible that it
could return something unexpected, in which case escaping it properly
makes sense.

When in doubt, escape.

-Otto


On Wed, Jun 19, 2013 at 2:19 PM, Stephen Cui <scui2005 at gmail.com> wrote:
> Thanks Cais for the clarification.
>
> To be honest, this is something bother me for a while. I believe esc_url is
> not required for home_url(). However, many reviewers make it required issue.
>
>
> Zhijian (Stephen) Cui
> Cell: (609)977-5089
> eMail: scui2005 at gmail.com
>
>
> On Wed, Jun 19, 2013 at 2:13 PM, Edward Caissie <edward.caissie at gmail.com>
> wrote:
>>
>> I don't consider that a manipulation of the $path parameter; but, with
>> something like the following, I would say yes ...
>>
>> home_url( theme_new_path() );
>> function theme_new_path() {
>>   $path = '/';
>>   return apply_filters( `theme_new_path_filter`, $path );
>> }
>>
>> Something like this would be a much better candidate to be escaped
>> although I really am not seeing this in a use case scenario just some random
>> (pseudo) code to clarify what I see as manipulating the $path parameter of
>> the function.
>>
>> Edward Caissie
>> aka Cais.
>>
>>
>> On Wed, Jun 19, 2013 at 2:55 PM, Stephen Cui <scui2005 at gmail.com> wrote:
>>>
>>> How about home_url( '/' ) ?
>>>
>>>
>>>
>>> On Wed, Jun 19, 2013 at 1:52 PM, Edward Caissie
>>> <edward.caissie at gmail.com> wrote:
>>>>
>>>> If the theme is manipulating the $path parameter of the function, or
>>>> attaching something to the `home_url` hook then I would say yes, otherwise
>>>> `home_url()` on its own should be fine as by default $path is empty.
>>>>
>>>> Edward Caissie
>>>> aka Cais.
>>>>
>>>>
>>>> On Wed, Jun 19, 2013 at 2:39 PM, Stephen Cui <scui2005 at gmail.com> wrote:
>>>>>
>>>>> According to in example in
>>>>> http://codex.wordpress.org/Theme_Review#Site_Information, echo home_url() is
>>>>> acceptable (or not?)
>>>>>
>>>>> But many reviewer ask the author to use echo esc_url( home_url() ).
>>>>>
>>>>> Question: Is esc_url required in home_url() case?
>>>>>
>>>>> Regards
>>>>>
>>>>> Stephen
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> theme-reviewers mailing list
>>>>> theme-reviewers at lists.wordpress.org
>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>


More information about the theme-reviewers mailing list