[theme-reviewers] home_url clarification

Chip Bennett chip at chipbennett.net
Wed Jun 19 19:40:00 UTC 2013


I'd prefer to see it as recommended, with a core patch to return escaped
output.


On Wed, Jun 19, 2013 at 3:36 PM, Otto <otto at ottodestruct.com> wrote:

> On Wed, Jun 19, 2013 at 2:24 PM, Chip Bennett <chip at chipbennett.net>
> wrote:
> > Otto, I agree, but if it is something that is outside the Theme's
> control,
> > shouldn't it be incumbent upon core (which provides the related filter)
> to
> > escape the output?
>
> I can see arguments for both sides of that one. Escaping immediately
> before output is safest. Late-escaping, basically.
>
> If you examine the core code currently (trunk), in all of the places I
> spot checked, when core uses home_url(), it runs it through esc_url()
> before outputting it. This is also the case for things like
> admin_url() and such.
>
> Twenty-eleven, twelve, and thirteen all esc_url( home_url() ).
> Twenty-ten notably did not.
>
> I would class it as recommended, possibly to move to required in a
> version or so?
>
> -Otto
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20130619/0fce4a31/attachment.html>


More information about the theme-reviewers mailing list