My theme has a recurrent review. I don’t understand what Themeforest want.
Reviewer sent this :
Data Validation issues have been found in your theme. All dynamic data must be correctly escaped for the context where it is rendered. - All dynamic data must be escaped with esc_attr() before rendered in an html attribute. - Whenever you are rendering a url to the screen its value must be passed through esc_url() first. - If dynamic data is rendered inside an attribute that triggers a JavaScript event, it must be escaped with esc_js().
The problem is that I already escaped datas from back-office and users… but some variables don’t need to be escaped according to me.
Here a simplified example :
if ( 0 == $depth ) {
$submenu_text = ‘style=“display: none;”’;
}
< span <?php echo $submenu_text; ?>>
So with this example, there is no dynamic data. Am I supposed nevertheless to protect with esc_html, esc_js… ? Because TF reviewer doesn’t want to search specifically if a variable is a dynamic data or not.
Well you’re right, but they do a global search for echo $, they do not have time to see if that variable is dynamic or static, just checking if the variable is being escaped or not. I escape almost everything for myself, except the WordPress functions, they are already escaped from the function.
Yes it’s exactly what I’m doing, I use Aptana as editor.
Another question, how I’m supposed to do when I want to output html ?
I have some functions that use html . For example this function I reused into my theme : https://gist.github.com/Dimox/5654092
I thought about “wp_kses” but I think TF do not allow this function