id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
22327	Settings API output is not escaped	johnjamesjacoby	ryan	"'''Problem'''

The output from do_settings_sections() and do_settings_fields() is not escaped while looping through the $wp_settings_fields global.

----

'''Unescaped Variables'''

* $section!['title']
* $field!['args']!['label_for']
* $field!['title']

----

'''Solutions'''

* Escape everything. We shouldn't expect anyone that's using add_settings_section() and add_settings_field() to pass already escaped output. Note that core does not escape it's own usage here.
* Escape nothing, and expect escaped input. This would require developer education to escape all of the things.

----

'''Patch Attached'''

Attached patch escapes all variable screen output."	defect (bug)	closed	normal	3.5	Administration		normal	fixed	has-patch commit