[theme-reviewers] home_url clarification
Otto
otto at ottodestruct.com
Wed Jun 19 19:36:41 UTC 2013
On Wed, Jun 19, 2013 at 2:24 PM, Chip Bennett <chip at chipbennett.net> wrote:
> Otto, I agree, but if it is something that is outside the Theme's control,
> shouldn't it be incumbent upon core (which provides the related filter) to
> escape the output?
I can see arguments for both sides of that one. Escaping immediately
before output is safest. Late-escaping, basically.
If you examine the core code currently (trunk), in all of the places I
spot checked, when core uses home_url(), it runs it through esc_url()
before outputting it. This is also the case for things like
admin_url() and such.
Twenty-eleven, twelve, and thirteen all esc_url( home_url() ).
Twenty-ten notably did not.
I would class it as recommended, possibly to move to required in a
version or so?
-Otto
More information about the theme-reviewers
mailing list