[theme-reviewers] use of esc_url

Otto otto at ottodestruct.com
Fri Oct 3 16:30:05 UTC 2014


On Fri, Oct 3, 2014 at 10:56 AM, Srikanth Koneru <tskk79 at gmail.com> wrote:

> Color value will be used within <style></style>
>

In that case, since we don't have a specific esc_css(), then I'd say that
the most appropriate thing to use would probably be esc_html(). That will
protect against malicious code such as </style> being used to close the
style block. It also escapes quotes, so the output can't change your
quoting and mess with later elements of the css.

Make sure that you only use it on the value itself though, not the entire
CSS block, because esc_html() escape quotes into & quot;.

-Otto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20141003/6803c3b3/attachment.html>


More information about the theme-reviewers mailing list