Opened 7 months ago

Closed 7 months ago

#22327 closed defect (bug) (fixed)

Settings API output is not escaped

Reported by: johnjamesjacoby Owned by: ryan
Priority: normal Milestone: 3.5
Component: Administration Version:
Severity: normal Keywords: has-patch commit
Cc:

Description (last modified by johnjamesjacoby)

Problem

The output from do_settings_sections() and do_settings_fields() is not escaped while looping through the $wp_settings_fields global.

Unescaped Variables

  • $section['title']
  • $field['args']['label_for']
  • $field['title']

Solutions

  • Escape everything. We shouldn't expect anyone that's using add_settings_section() and add_settings_field() to pass already escaped output. Note that core does not escape it's own usage here.
  • Escape nothing, and expect escaped input. This would require developer education to escape all of the things.

Patch Attached

Attached patch escapes all variable screen output.

Attachments (2)

22327.patch (1.0 KB) - added by johnjamesjacoby 7 months ago.
22327.2.patch (597 bytes) - added by johnjamesjacoby 7 months ago.
esc_attr() only, to allow title's to include HTML

Download all attachments as: .zip

Change History (5)

johnjamesjacoby7 months ago

comment:1   johnjamesjacoby7 months ago

  • Description modified (diff)

comment:2   nacin7 months ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 3.5

So, for things like programmatic values, we don't escape for security. Inner HTML should not be escaped. But, attributes should always be escaped to avoid breakage. So most of this looks great.

johnjamesjacoby7 months ago

esc_attr() only, to allow title's to include HTML

comment:3   ryan7 months ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In 22373:

Use esc_attr() for attributes. Props johnjamesjacoby. fixes #22327

Note: See TracTickets for help on using tickets.