escaping the_permalink

wordpress

#1

Anyone know Themeforest’s standpoint on escaping wordpress functions?

Should we be doing

echo esc_url( get_the_permalink

Seems overkill when the the_permalink function clearly escapes on echo

https://developer.wordpress.org/reference/functions/the_permalink/

I ask because one of my soft messages was escape all urls even wordpress.

Wordpress.org allow the_permalink but will themeforest reject for it?

Same goes for bloginfo - the output is escaped see:

http://wordpress.itsprite.com/wordpressfrom-a-security-standpoint-should-bloginfo-or-get_bloginfo-be-escaped/


#2

I think get_the_permalink() function isn’t escaped, so you need to escape.
For bloginfo() function, output is escaped, but via filters. So that means esc_html filter can be easily removed, thus output doesn’t get escaped. So you need to escape too to be on the safer side.