Question about escaping dynamic data

johnnychaos · July 20, 2016, 3:33pm

Hi, I have two questions:

1.I recently had soft rejection and one of the reason was: “All dynamic data must be correctly escaped for the context where it is rendered”.
I escaped all translatable strings, get_meta_fields but I wonder if I also have to escape “theme options” when they are echo’ed?

“Always use esc_url when sanitizing URLs, including WordPress related”. What about get_permalink(), etc?

Gareth_Gillman · July 20, 2016, 3:45pm

get_permalink and other WP functions are sanitized so you don’t need to worry about them, but you do need to sanitize anything else including theme options as you don’t know what the user will input.

johnnychaos · July 20, 2016, 3:49pm

Thanks for the answer.

So why they wrote " including WordPress related"?

johnnychaos · July 25, 2016, 5:02pm

Just for clarifacation: get_permalink is not escaped, but the_permalink is. It looks like all “get_” link functions need to be escaped.

Topic		Replies	Views
Data Validation issues Theme Authors wordpress , item-feedback	7	1662	March 24, 2017
Please help with "All dynamic data must be correctly escaped.." Theme Authors wordpress , item-feedback	0	468	November 3, 2016
WordPress Theme Soft-Rejected Theme Authors wordpress , item-feedback	13	988	October 14, 2016
Question about esc_url Looking For wordpress	4	866	February 27, 2016
Clarification Please. Escaping Dynamic Content. Author Hangout tips-and-tricks	6	554	April 20, 2016

Question about escaping dynamic data

Related topics