[theme-reviewers] home_url clarification

Otto otto at ottodestruct.com
Wed Jun 19 19:50:36 UTC 2013


On Wed, Jun 19, 2013 at 2:40 PM, Chip Bennett <chip at chipbennett.net> wrote:
> ... with a core patch to return escaped output.

I think this is not possible because of the way these functions are
actually used.

home_url (and other *_url functions) are intended to return the URL.
Keyword being "return", as they're not output functions. They just
return the relevant data. That data could then be subject to further
manipulation, and often is. If you escape them early, then they might
need to be unescaped to manipulate them and then re-escaped later.

Escaping is the responsibility of the code actually doing the output.
home_url() isn't outputting anything, so it should not return escaped
data. If you want to argue for combined functions like, say,
echo_home_url(), or something along those lines, then escaping in them
would make more sense.

Just because it's in core doesn't mean it should always return "safe"
data, because "safe" is relative to what the data is being used for.

-Otto


More information about the theme-reviewers mailing list