Data Validation issues

wordpress
item-feedback

#1

Hello !

My theme has a recurrent review. I don’t understand what Themeforest want.

Reviewer sent this :

  1. Data Validation issues have been found in your theme. All dynamic data must be correctly escaped for the context where it is rendered. - All dynamic data must be escaped with esc_attr() before rendered in an html attribute. - Whenever you are rendering a url to the screen its value must be passed through esc_url() first. - If dynamic data is rendered inside an attribute that triggers a JavaScript event, it must be escaped with esc_js().

For examples and there are more: http://envato.d.pr/tSEq/48VD1qgQ

The problem is that I already escaped datas from back-office and users… but some variables don’t need to be escaped according to me.

Here a simplified example :
if ( 0 == $depth ) {
$submenu_text = ‘style=“display: none;”’;
}
< span <?php echo $submenu_text; ?>>

So with this example, there is no dynamic data. Am I supposed nevertheless to protect with esc_html, esc_js… ? Because TF reviewer doesn’t want to search specifically if a variable is a dynamic data or not.

Thanks.


#2

Hey Mcurly,

Try in this way: echo esc_attr( $submenu_text );


#4

Thanks for your reply, but I know how to escape datas. The problem is why should I escape a data NOT dynamic ?

For example :
$var = 1;
echo $var;

And TF tell me $var is not escaped :confused: Is it normal ?


#5

Well you’re right, but they do a global search for echo $, they do not have time to see if that variable is dynamic or static, just checking if the variable is being escaped or not. I escape almost everything for myself, except the WordPress functions, they are already escaped from the function.

Validating Sanitizing and Escaping User Data

Cheers


#6

Thanks for your reply.
Ok I understand better now why they send it again and again. I will escape every variable rendered.

Cheers.


#7

I don’t know what text editor You use but search all Your theme looking for “echo $” … end every result must be escaped with esc_html or esc_attr


#8

Yes it’s exactly what I’m doing, I use Aptana as editor.

Another question, how I’m supposed to do when I want to output html ?
I have some functions that use html . For example this function I reused into my theme : https://gist.github.com/Dimox/5654092

I thought about “wp_kses” but I think TF do not allow this function :confounded:


#9

I use it in my theme in one place and they never reject theme because of it. In some cases You can also use strip_tags to allow some html tags.