[theme-reviewers] use of esc_url

Justin Tadlock justin at justintadlock.com
Fri Oct 3 13:27:24 UTC 2014


We would never have anything so specific as to use `esc_url()` in the
guidelines.  You'd need to use the most appropriate function for the job.
If dealing with URLs, `esc_url()` will usually be your best bet.  Questions
such as this are better handled by looking at the specific case though.
Generic answers/solutions are rarely a good idea when talking about
sanitizing, validating, and/or escaping.

Here's the guideline:

"Themes are required to validate and sanitize all untrusted data before
entering data into the database, and to escape all untrusted data before
being output in the Settings form fields or in the Theme template files
(see: Data Validation)"

See:
https://make.wordpress.org/themes/handbook/guidelines/theme-security-and-privacy/

On Fri, Oct 3, 2014 at 8:04 AM, priyanshu mittal <priyanshu.mittal at gmail.com
> wrote:

> Hi
>
> Is that mandatory to use esc_url in the themes. If yes can you provide me
> the link where it has been  mentioned.
>
> Thanks
> Priyanshu
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20141003/2033cde6/attachment.html>


More information about the theme-reviewers mailing list