[theme-reviewers] home_url clarification
scui2005 at gmail.com
Thu Jun 20 10:28:48 UTC 2013
It is good practice to escape url whether is trusted or not. But both codex and guidelines' code examples simply echos.
That's why I started this topic to clarify. We should always recommend authors to escape but not require. Otherwise, we should change the code example in guidelines.
On Jun 20, 2013, at 4:50 AM, Greg Priday <greg at siteorigin.com> wrote:
> I thought this was already a requirement because of:
> "Themes are required to validate and sanitize all untrusted data before entering data into the database, and to escape all untrusted data before being output in the Settings form fields or in the Theme template files (see: Data Validation)"
> I guess it depends on your definition of "untrusted", but I think if another plugin could change the value, it think it should be considered untrusted.
> On Wed, Jun 19, 2013 at 9:58 PM, Otto <otto at ottodestruct.com> wrote:
>> On Wed, Jun 19, 2013 at 2:53 PM, Chip Bennett <chip at chipbennett.net> wrote:
>> > Well now, don't even get started on why get_home_url() and home_url() both
>> > *return* output, and core has no function to *echo* that output. ;)
>> I know. Legacy reasons there.
>> But the bottom line is that adding escaping to home_url *will break
>> existing things*. Quite a lot of them, in fact. So it ain't going to
>> happen. Just saying.
>> Getting a new function created to do what you think it should do is a
>> better approach to take. But even then it's an uphill road.
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
> I make free WordPress themes
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the theme-reviewers