[theme-reviewers] use of esc_url
Srikanth Koneru
tskk79 at gmail.com
Fri Oct 3 15:56:12 UTC 2014
Color value will be used within <style></style>
On Fri, Oct 3, 2014 at 9:18 PM, Otto <otto at ottodestruct.com> wrote:
> Maybe, maybe not. Depends on how and where it's being used.
>
> Sanitizing or validating values on input is to make sure that the input is
> what you expect. If it's a hex color, then you want it to fit the pattern
> of a hex color, so that's why the sanitize_hex_color() function exists.
>
> But when you're putting it back in a document, as output, then you're not
> verifying what the value is, but actually making sure that it is properly
> escaped for the context in which you are outputting it. If you were
> outputting it to an HTML attribute, then you'd actually want to use
> esc_attr(). If you were putting it in a URL (maybe as a query parameter
> appended on the end of it), then the whole URL should be passed through
> esc_url(). If it's going into some javascript, then esc_js() perhaps.
>
> Remember, you're not concerned with what it "is" when creating the output,
> but more with where that output is going to be located.
>
> -Otto
>
>
>
> On Fri, Oct 3, 2014 at 10:38 AM, Ulrich Pogson <grapplerulrich at gmail.com>
> wrote:
>
>> Yes, that would make sense to reuse sanitize_hex_color
>> <https://github.com/WordPress/WordPress/blob/master/wp-includes/class-wp-customize-manager.php#L1221>
>> ().
>>
>> On 3 October 2014 17:04, Srikanth Koneru <tskk79 at gmail.com> wrote:
>>
>>> Probably good time to ask which function should I use to esc the color
>>> value I get from customizer via get_theme_mod?
>>> Should I simply reuse the sanitize_hex_color?
>>>
>>> On Fri, Oct 3, 2014 at 7:41 PM, priyanshu mittal <
>>> priyanshu.mittal at gmail.com> wrote:
>>>
>>>> HI Ulrich
>>>>
>>>>
>>>> Thanks for the answer. I will ask users to do this as a required one.
>>>>
>>>> Thanks
>>>> Priyanshu
>>>>
>>>> On Fri, Oct 3, 2014 at 7:39 PM, Ulrich Pogson <grapplerulrich at gmail.com
>>>> > wrote:
>>>>
>>>>> It is required to escape all data before being outputted anywhere in
>>>>> the theme. Security is the top priority.
>>>>>
>>>>> On 3 October 2014 15:51, priyanshu mittal <priyanshu.mittal at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Here is my ticket url: https://themes.trac.wordpress.org/ticket/21002
>>>>>>
>>>>>> I have already sanitized the favicon url before saving it to the
>>>>>> database.
>>>>>>
>>>>>> My Question is do I still need to call the esc_url while outputing it
>>>>>> in the html. Is this required or recommended.
>>>>>>
>>>>>> The main reason I am asking is because recently I am also reviewing a
>>>>>> theme which has similar type of code format.
>>>>>>
>>>>>> So required or recommended?
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>> Priyanshu
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 3, 2014 at 6:57 PM, Justin Tadlock <
>>>>>> justin at justintadlock.com> wrote:
>>>>>>
>>>>>>> We would never have anything so specific as to use `esc_url()` in
>>>>>>> the guidelines. You'd need to use the most appropriate function for the
>>>>>>> job. If dealing with URLs, `esc_url()` will usually be your best bet.
>>>>>>> Questions such as this are better handled by looking at the specific case
>>>>>>> though. Generic answers/solutions are rarely a good idea when talking
>>>>>>> about sanitizing, validating, and/or escaping.
>>>>>>>
>>>>>>> Here's the guideline:
>>>>>>>
>>>>>>> "Themes are required to validate and sanitize all untrusted data
>>>>>>> before entering data into the database, and to escape all untrusted data
>>>>>>> before being output in the Settings form fields or in the Theme template
>>>>>>> files (see: Data Validation)"
>>>>>>>
>>>>>>> See:
>>>>>>> https://make.wordpress.org/themes/handbook/guidelines/theme-security-and-privacy/
>>>>>>>
>>>>>>> On Fri, Oct 3, 2014 at 8:04 AM, priyanshu mittal <
>>>>>>> priyanshu.mittal at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> Is that mandatory to use esc_url in the themes. If yes can you
>>>>>>>> provide me the link where it has been mentioned.
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Priyanshu
>>>>>>>>
>>>>>>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20141003/b2e19a41/attachment-0001.html>
More information about the theme-reviewers
mailing list