[theme-reviewers] esc_url() for all links?

Otto otto at ottodestruct.com
Sat Aug 30 05:18:55 UTC 2014


This isn't complicated. Really. :)

You don't *have* to escape core functions like this, but you should, just
to get into the habit of it.

Imagine a situation where a rogue plugin slipped past our filters and did
bad things. It would be nice to be immune, no?

Not saying that is possible, or even likely, but it doesn't hurt to always
escape output properly. At minimum, it makes you think about what the
content could be, and in what context it resides, and how it should be
displayed.

It doesn't hurt. In weird and rare situations it might help. But, it should
not be something that reviewers ding you on. I mean, c'mon.


-Otto


On Fri, Aug 29, 2014 at 11:51 PM, Emil Uzelac <emil at uzelac.me> wrote:

> esc_url will check first and clean when needed:
> https://core.trac.wordpress.org/browser/tags/3.9.2/src/wp-includes/formatting.php#L2875
> .
>
> Related and also to append on my previous messages:
> https://core.trac.wordpress.org/changeset/23527/trunk
>
> See:
>
>    - https://core.trac.wordpress.org/ticket/20771
>    - http://codex.wordpress.org/Data_Validation
>
>
> Otto or Justin are more suitable to answer in details :)
>
>
>
> On Fri, Aug 29, 2014 at 10:54 PM, Dane Morgan <dane at danemorganmedia.com>
> wrote:
>
>> Is there a list somewhere of what is an is not escaped?
>>
>> What happens if you escape something that is already escaped? Nothing
>> horrible, right?
>>
>>
>> Zack Tollman wrote:
>>
>> It's SO not escaped.
>>
>>
>> --
>> Sent with Postbox <http://www.getpostbox.com>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140830/db83302b/attachment-0001.html>


More information about the theme-reviewers mailing list