[theme-reviewers] use of esc_url

priyanshu mittal priyanshu.mittal at gmail.com
Fri Oct 3 13:51:34 UTC 2014


Here is my ticket url: https://themes.trac.wordpress.org/ticket/21002

I have already sanitized the favicon url before saving it to the database.

My Question is do I still need to call the esc_url while outputing it in
the html. Is this required or recommended.

The main reason I am asking is because recently I am also reviewing a theme
which has similar type of code format.

So required or recommended?


Thanks
Priyanshu



On Fri, Oct 3, 2014 at 6:57 PM, Justin Tadlock <justin at justintadlock.com>
wrote:

> We would never have anything so specific as to use `esc_url()` in the
> guidelines.  You'd need to use the most appropriate function for the job.
> If dealing with URLs, `esc_url()` will usually be your best bet.  Questions
> such as this are better handled by looking at the specific case though.
> Generic answers/solutions are rarely a good idea when talking about
> sanitizing, validating, and/or escaping.
>
> Here's the guideline:
>
> "Themes are required to validate and sanitize all untrusted data before
> entering data into the database, and to escape all untrusted data before
> being output in the Settings form fields or in the Theme template files
> (see: Data Validation)"
>
> See:
> https://make.wordpress.org/themes/handbook/guidelines/theme-security-and-privacy/
>
> On Fri, Oct 3, 2014 at 8:04 AM, priyanshu mittal <
> priyanshu.mittal at gmail.com> wrote:
>
>> Hi
>>
>> Is that mandatory to use esc_url in the themes. If yes can you provide me
>> the link where it has been  mentioned.
>>
>> Thanks
>> Priyanshu
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20141003/01297b17/attachment-0001.html>


More information about the theme-reviewers mailing list