[theme-reviewers] use of esc_url
Srikanth Koneru
tskk79 at gmail.com
Fri Oct 3 15:04:09 UTC 2014
Probably good time to ask which function should I use to esc the color
value I get from customizer via get_theme_mod?
Should I simply reuse the sanitize_hex_color?
On Fri, Oct 3, 2014 at 7:41 PM, priyanshu mittal <priyanshu.mittal at gmail.com
> wrote:
> HI Ulrich
>
>
> Thanks for the answer. I will ask users to do this as a required one.
>
> Thanks
> Priyanshu
>
> On Fri, Oct 3, 2014 at 7:39 PM, Ulrich Pogson <grapplerulrich at gmail.com>
> wrote:
>
>> It is required to escape all data before being outputted anywhere in the
>> theme. Security is the top priority.
>>
>> On 3 October 2014 15:51, priyanshu mittal <priyanshu.mittal at gmail.com>
>> wrote:
>>
>>> Here is my ticket url: https://themes.trac.wordpress.org/ticket/21002
>>>
>>> I have already sanitized the favicon url before saving it to the
>>> database.
>>>
>>> My Question is do I still need to call the esc_url while outputing it in
>>> the html. Is this required or recommended.
>>>
>>> The main reason I am asking is because recently I am also reviewing a
>>> theme which has similar type of code format.
>>>
>>> So required or recommended?
>>>
>>>
>>> Thanks
>>> Priyanshu
>>>
>>>
>>>
>>> On Fri, Oct 3, 2014 at 6:57 PM, Justin Tadlock <justin at justintadlock.com
>>> > wrote:
>>>
>>>> We would never have anything so specific as to use `esc_url()` in the
>>>> guidelines. You'd need to use the most appropriate function for the job.
>>>> If dealing with URLs, `esc_url()` will usually be your best bet. Questions
>>>> such as this are better handled by looking at the specific case though.
>>>> Generic answers/solutions are rarely a good idea when talking about
>>>> sanitizing, validating, and/or escaping.
>>>>
>>>> Here's the guideline:
>>>>
>>>> "Themes are required to validate and sanitize all untrusted data before
>>>> entering data into the database, and to escape all untrusted data before
>>>> being output in the Settings form fields or in the Theme template files
>>>> (see: Data Validation)"
>>>>
>>>> See:
>>>> https://make.wordpress.org/themes/handbook/guidelines/theme-security-and-privacy/
>>>>
>>>> On Fri, Oct 3, 2014 at 8:04 AM, priyanshu mittal <
>>>> priyanshu.mittal at gmail.com> wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> Is that mandatory to use esc_url in the themes. If yes can you provide
>>>>> me the link where it has been mentioned.
>>>>>
>>>>> Thanks
>>>>> Priyanshu
>>>>>
>>>>> _______________________________________________
>>>>> theme-reviewers mailing list
>>>>> theme-reviewers at lists.wordpress.org
>>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> theme-reviewers mailing list
>>>> theme-reviewers at lists.wordpress.org
>>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>>
>>>>
>>>
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20141003/5cbc125e/attachment.html>
More information about the theme-reviewers
mailing list