[theme-reviewers] use of esc_url

Ulrich Pogson grapplerulrich at gmail.com
Fri Oct 3 14:09:28 UTC 2014


It is required to escape all data before being outputted anywhere in the
theme. Security is the top priority.

On 3 October 2014 15:51, priyanshu mittal <priyanshu.mittal at gmail.com>
wrote:

> Here is my ticket url: https://themes.trac.wordpress.org/ticket/21002
>
> I have already sanitized the favicon url before saving it to the database.
>
> My Question is do I still need to call the esc_url while outputing it in
> the html. Is this required or recommended.
>
> The main reason I am asking is because recently I am also reviewing a
> theme which has similar type of code format.
>
> So required or recommended?
>
>
> Thanks
> Priyanshu
>
>
>
> On Fri, Oct 3, 2014 at 6:57 PM, Justin Tadlock <justin at justintadlock.com>
> wrote:
>
>> We would never have anything so specific as to use `esc_url()` in the
>> guidelines.  You'd need to use the most appropriate function for the job.
>> If dealing with URLs, `esc_url()` will usually be your best bet.  Questions
>> such as this are better handled by looking at the specific case though.
>> Generic answers/solutions are rarely a good idea when talking about
>> sanitizing, validating, and/or escaping.
>>
>> Here's the guideline:
>>
>> "Themes are required to validate and sanitize all untrusted data before
>> entering data into the database, and to escape all untrusted data before
>> being output in the Settings form fields or in the Theme template files
>> (see: Data Validation)"
>>
>> See:
>> https://make.wordpress.org/themes/handbook/guidelines/theme-security-and-privacy/
>>
>> On Fri, Oct 3, 2014 at 8:04 AM, priyanshu mittal <
>> priyanshu.mittal at gmail.com> wrote:
>>
>>> Hi
>>>
>>> Is that mandatory to use esc_url in the themes. If yes can you provide
>>> me the link where it has been  mentioned.
>>>
>>> Thanks
>>> Priyanshu
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20141003/758a06ec/attachment.html>


More information about the theme-reviewers mailing list