[theme-reviewers] use of esc_url

Zack Tollman tollmanz at gmail.com
Fri Oct 3 16:08:26 UTC 2014 

One thing to note with `sanitize_hex_color()` is that it is only available
when the Customizer is loaded. You cannot use it outside of that context
because the file that contains the function definition is not loaded.

On Fri, Oct 3, 2014 at 8:56 AM, Srikanth Koneru <tskk79 at gmail.com> wrote:

> Color value will be used within <style></style>
>
> On Fri, Oct 3, 2014 at 9:18 PM, Otto <otto at ottodestruct.com> wrote:
>
>> Maybe, maybe not. Depends on how and where it's being used.
>>
>> Sanitizing or validating values on input is to make sure that the input
>> is what you expect. If it's a hex color, then you want it to fit the
>> pattern of a hex color, so that's why the sanitize_hex_color() function
>> exists.
>>
>> But when you're putting  it back in a document, as output, then you're
>> not verifying what the value is, but actually making sure that it is
>> properly escaped for the context in which you are outputting it. If you
>> were outputting it to an HTML attribute, then you'd actually want to use
>> esc_attr(). If you were putting it in a URL (maybe as a query parameter
>> appended on the end of it), then the whole URL should be passed through
>> esc_url(). If it's going into some javascript, then esc_js() perhaps.
>>
>> Remember, you're not concerned with what it "is" when creating the
>> output, but more with where that output is going to be located.
>>
>> -Otto
>>
>>
>>
>> On Fri, Oct 3, 2014 at 10:38 AM, Ulrich Pogson <grapplerulrich at gmail.com>
>> wrote:
>>
>>> Yes, that would make sense to reuse sanitize_hex_color
>>> <https://github.com/WordPress/WordPress/blob/master/wp-includes/class-wp-customize-manager.php#L1221>
>>> ().
>>>
>>> On 3 October 2014 17:04, Srikanth Koneru <tskk79 at gmail.com> wrote:
>>>
>>>> Probably good time to ask which function should I use to esc the color
>>>> value I get from customizer via get_theme_mod?
>>>> Should I simply reuse the sanitize_hex_color?
>>>>
>>>> On Fri, Oct 3, 2014 at 7:41 PM, priyanshu mittal <
>>>> priyanshu.mittal at gmail.com> wrote:
>>>>
>>>>> HI Ulrich
>>>>>
>>>>>
>>>>> Thanks for the answer. I will ask users to do this as a required one.
>>>>>
>>>>> Thanks
>>>>> Priyanshu
>>>>>
>>>>> On Fri, Oct 3, 2014 at 7:39 PM, Ulrich Pogson <
>>>>> grapplerulrich at gmail.com> wrote:
>>>>>
>>>>>> It is required to escape all data before being outputted anywhere in
>>>>>> the theme. Security is the top priority.
>>>>>>
>>>>>> On 3 October 2014 15:51, priyanshu mittal <priyanshu.mittal at gmail.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Here is my ticket url:
>>>>>>> https://themes.trac.wordpress.org/ticket/21002
>>>>>>>
>>>>>>> I have already sanitized the favicon url before saving it to the
>>>>>>> database.
>>>>>>>
>>>>>>> My Question is do I still need to call the esc_url while outputing
>>>>>>> it in the html. Is this required or recommended.
>>>>>>>
>>>>>>> The main reason I am asking is because recently I am also reviewing
>>>>>>> a theme which has similar type of code format.
>>>>>>>
>>>>>>> So required or recommended?
>>>>>>>
>>>>>>>
>>>>>>> Thanks
>>>>>>> Priyanshu
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Oct 3, 2014 at 6:57 PM, Justin Tadlock <
>>>>>>> justin at justintadlock.com> wrote:
>>>>>>>
>>>>>>>> We would never have anything so specific as to use `esc_url()` in
>>>>>>>> the guidelines.  You'd need to use the most appropriate function for the
>>>>>>>> job.  If dealing with URLs, `esc_url()` will usually be your best bet.
>>>>>>>> Questions such as this are better handled by looking at the specific case
>>>>>>>> though.  Generic answers/solutions are rarely a good idea when talking
>>>>>>>> about sanitizing, validating, and/or escaping.
>>>>>>>>
>>>>>>>> Here's the guideline:
>>>>>>>>
>>>>>>>> "Themes are required to validate and sanitize all untrusted data
>>>>>>>> before entering data into the database, and to escape all untrusted data
>>>>>>>> before being output in the Settings form fields or in the Theme template
>>>>>>>> files (see: Data Validation)"
>>>>>>>>
>>>>>>>> See:
>>>>>>>> https://make.wordpress.org/themes/handbook/guidelines/theme-security-and-privacy/
>>>>>>>>
>>>>>>>> On Fri, Oct 3, 2014 at 8:04 AM, priyanshu mittal <
>>>>>>>> priyanshu.mittal at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> Is that mandatory to use esc_url in the themes. If yes can you
>>>>>>>>> provide me the link where it has been  mentioned.
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> Priyanshu
>>>>>>>>>
>>>>>>>>
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20141003/317b32d7/attachment.html>

More information about the theme-reviewers mailing list