[theme-reviewers] home_url('/') VS esc_url(home_url('/')) Clarification
Chip Bennett
chip at chipbennett.net
Thu Sep 12 20:05:50 UTC 2013
So I would take that to mean that the output of the get_home_url filter
should be escaped.
Themes can't fix or provide a prophylactic for every conceivable way for a
user to bork a site; where is the appropriate place to draw the line?
On Thu, Sep 12, 2013 at 3:56 PM, Kirk Wight <kwight at kwight.ca> wrote:
> Note that get_home_url() (which is used by home_url()) is filterable, so
> technically we have no idea what's going to come through; using esc_url(),
> even if not required, will always be a good idea.
>
>
> On 12 September 2013 15:30, Zulfikar Nore <zulfikarnore at live.com> wrote:
>
>> Thanks for the clarification Chip - Noted :)
>>
>> ------------------------------
>> Date: Thu, 12 Sep 2013 14:32:55 -0400
>> From: chip at chipbennett.net
>> To: theme-reviewers at lists.wordpress.org
>> Subject: Re: [theme-reviewers] home_url('/') VS esc_url(home_url('/'))
>> Clarification
>>
>>
>> I would consider it as *recommended*, since home_url() isn't explicitly
>> user-configurable. At the very least, if it's considered as *required*,
>> then it is minor enough to leave until the next revision.
>>
>>
>> On Thu, Sep 12, 2013 at 2:30 PM, Zulfikar Nore <zulfikarnore at live.com>wrote:
>>
>> As this page:
>> http://make.wordpress.org/themes/guidelines/guidelines-theme-security-and-privacy/ has
>> since changed I thought I'd ask just to be clear I understand the
>> requirements.
>>
>> Is esc_url for home_url a requirement or recommended? This page:
>> http://codex.wordpress.org/Data_Validation does not state explicitly
>> that it is a requirement.
>>
>> So if its a requirement - is it a must fix requirement or can it be a fix
>> in next revision requirement?
>>
>> Thanks in advance,
>> Zulf
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>>
>> _______________________________________________ theme-reviewers mailing
>> list theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20130912/dc768120/attachment.html>
More information about the theme-reviewers
mailing list