[theme-reviewers] Sanitizing Output

Konstantin Kovshenin kovshenin at gmail.com
Tue Oct 8 20:29:47 UTC 2013


> a feature in my theme allows user to enter javascript

Run it through kses on input, also a good idea to check for
current_user_can( 'unfiltered_html' ); before even showing the option. Note
that there are some environments where unfiltered html (including js, etc)
is disabled *for all users* including admins and super admins.


On Wed, Oct 9, 2013 at 12:22 AM, Srikanth Koneru <tskk79 at gmail.com> wrote:

> The header footer js codes that are inserted via theme options, do they
> need to be escaped at all and if so how to do it?
>
>
> On Wed, Oct 9, 2013 at 1:50 AM, Rohit Tripathi <rohitink at live.com> wrote:
>
>> Thanks Chip. :)
>>
>> ------------------------------
>> Date: Tue, 8 Oct 2013 16:18:09 -0400
>> From: chip at chipbennett.net
>>
>> To: theme-reviewers at lists.wordpress.org
>> Subject: Re: [theme-reviewers] Sanitizing Output
>>
>> The general rule is: sanitize on input, escape on output.
>>
>>
>> On Tue, Oct 8, 2013 at 4:00 PM, Rohit Tripathi <rohitink at live.com> wrote:
>>
>> Yes, I have escaped all the Urls. That's done.
>>
>> But, a feature in my theme allows user to enter javascript or html
>> through the theme options panel, which is sanitized on input. So, I hope I
>> don't have to sanitize it on the output. Because, if i use functions like
>> esc_html or esc_js on them, then the whole point of letting theme enter
>> js/html is lost. So, if i have to sanitize them on output, how do i do that?
>>
>> Thanks.
>>
>> ------------------------------
>> Date: Tue, 8 Oct 2013 21:57:44 +0200
>> From: grapplerulrich at gmail.com
>> To: theme-reviewers at lists.wordpress.org
>> Subject: Re: [theme-reviewers] Sanitizing Output
>>
>>
>> No, but it is good to escape it.
>> On 8 Oct 2013 21:54, "Rohit Tripathi" <rohitink at live.com> wrote:
>>
>> Hello.
>>
>> I am using Options Framework with my theme. I have properly sanitized all
>> input using all the necessary functions including wp_kses.
>>
>> Is it neccessary to sanitize it on the output?
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>> _______________________________________________ theme-reviewers mailing
>> list theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>>
>> _______________________________________________ theme-reviewers mailing
>> list theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>


-- 
Konstantin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20131009/66dc14ad/attachment.html>


More information about the theme-reviewers mailing list