[theme-reviewers] home_url clarification

Greg Priday greg at siteorigin.com
Thu Jun 20 09:50:12 UTC 2013


I thought this was already a requirement because of:

"Themes are *required* to validate and sanitize all untrusted data before
entering data into the database, and to escape all untrusted data before
being output in the Settings form fields or in the Theme template files
(see: Data Validation <http://codex.wordpress.org/Data_Validation>)"

I guess it depends on your definition of "untrusted", but I think if
another plugin could change the value, it think it should be considered
untrusted.



On Wed, Jun 19, 2013 at 9:58 PM, Otto <otto at ottodestruct.com> wrote:

> On Wed, Jun 19, 2013 at 2:53 PM, Chip Bennett <chip at chipbennett.net>
> wrote:
> > Well now, don't even get started on why get_home_url() and home_url()
> both
> > *return* output, and core has no function to *echo* that output. ;)
>
> I know. Legacy reasons there.
>
> But the bottom line is that adding escaping to home_url *will break
> existing things*. Quite a lot of them, in fact. So it ain't going to
> happen. Just saying.
>
> Getting a new function created to do what you think it should do is a
> better approach to take. But even then it's an uphill road.
>
> -Otto
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>



-- 
I make free WordPress themes
http://siteorigin.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20130620/95d6f666/attachment.html>


More information about the theme-reviewers mailing list