[theme-reviewers] esc_url() for all links?

Sat Aug 30 00:52:56 UTC 2014

I wasn't trolling, just wasn't aware that get_the_premalink was added in
3.9 and I stand corrected!

https://developer.wordpress.org/reference/functions/get_the_permalink/

On Fri, Aug 29, 2014 at 7:46 PM, Zack Tollman <tollmanz at gmail.com> wrote:

> Are you trolling me, Emil? ;)
>
> `get_the_permalink()` was added in 3.9.0 to be more consistent with other
> template tags (e.g., `get_the_title()`, not `get_title()`). It is just a
> synonym for `get_permalink()`. You shouldn't use it for themes unless you
> plan to not support < 3.9.0. You can see it in all its glory here:
> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L99
> .
>
> Here is `get_permalink()`:
> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L112.
> The function concludes with:
> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L231.
> At no point is it escaped. When core uses the function for echoing to the
> screen, it escapes `get_permalink()` (
> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L22
> ).
>
> It's SO not escaped.
>
>
> On Fri, Aug 29, 2014 at 5:35 PM, Emil Uzelac <emil at uzelac.me> wrote:
>
>> the_permalink and get_permalink are both escaped and get_the_premalink
>> does not exist :)
>>
>>
>> On Fri, Aug 29, 2014 at 7:30 PM, Zack Tollman <tollmanz at gmail.com> wrote:
>>
>>> That function is `the_permalink()`, which concludes by calling and
>>> escaping `get_permalink()`:
>>> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L22.
>>> `get_permalink()`, on the other hand, is never escaped:
>>> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L112
>>>
>>>
>>> On Fri, Aug 29, 2014 at 5:25 PM, Emil Uzelac <emil at uzelac.me> wrote:
>>>
>>>> No, get_permalink is escaped:
>>>> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L14
>>>>
>>>>
>>>>
>>>> On Fri, Aug 29, 2014 at 7:22 PM, Zack Tollman <tollmanz at gmail.com>
>>>> wrote:
>>>>
>>>>> `the_permalink()` is escaped, but `get_permalink()` (or the newer
>>>>> `get_the_permalink()`) is not escaped and still needs to be escaped.
>>>>>
>>>>>
>>>>> On Fri, Aug 29, 2014 at 4:31 PM, Emil Uzelac <emil at uzelac.me> wrote:
>>>>>
>>>>>> And get_permalink does not need one, because it already exist here:
>>>>>> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/link-template.php#L0
>>>>>>
>>>>>>
>>>>>> On Fri, Aug 29, 2014 at 6:30 PM, Emil Uzelac <emil at uzelac.me> wrote:
>>>>>>
>>>>>>> Needs an escape and trailingslash as well
>>>>>>> http://codex.wordpress.org/Function_Reference/home_url
>>>>>>>
>>>>>>> <?php echo esc_url( home_url( '/' ) ); ?>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Aug 29, 2014 at 6:26 PM, Yentl Bresseleers <
>>>>>>> hello at design311.com> wrote:
>>>>>>>
>>>>>>>> Why doesn't home_url() does it for you then?On 30/08/2014 01:25,
>>>>>>>> Tom wrote:
>>>>>>>>
>>>>>>>>> I believe get_permalink() does it for you.
>>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: theme-reviewers [mailto:theme-reviewers-
>>>>>>>>> bounces at lists.wordpress.org]
>>>>>>>>> On Behalf Of Yentl Bresseleers
>>>>>>>>> Sent: Friday, August 29, 2014 4:24 PM
>>>>>>>>> To: Discussion list for WordPress theme reviewers.
>>>>>>>>> Subject: [theme-reviewers] esc_url() for all links?
>>>>>>>>>
>>>>>>>>>  Themes are required to escape all untrusted links before output
>>>>>>>>>> using
>>>>>>>>>> esc_url(). Escape home_url() in header.php and other similar links
>>>>>>>>>> used elsewhere.
>>>>>>>>>>
>>>>>>>>> Does that mean we have to pass all links through esc_url()? Even
>>>>>>>>> the_permalink()?
>>>>>>>>>
>>>>>>>>>       echo esc_url(get_permalink());
>>>>>>>>>
>>>>>>>>> Rather than:
>>>>>>>>>
>>>>>>>>>       the_permalink() ?
>>>>>>>>> _______________________________________________
>>>>>>>>> theme-reviewers mailing list
>>>>>>>>> theme-reviewers at lists.wordpress.org
>>>>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> theme-reviewers mailing list
>>>>>>>>> theme-reviewers at lists.wordpress.org
>>>>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> theme-reviewers mailing list
>>>>>>>> theme-reviewers at lists.wordpress.org
>>>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> theme-reviewers mailing list
>>>>>> theme-reviewers at lists.wordpress.org
>>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> theme-reviewers mailing list
>>>>> theme-reviewers at lists.wordpress.org
>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140829/cb40ffd7/attachment-0001.html>