Opened 7 months ago
Last modified 7 months ago
#22327 closed defect (bug)
Settings API output is not escaped — at Version 1
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.5 |
| Component: | Administration | Version: | |
| Severity: | normal | Keywords: | has-patch commit |
| Cc: |
Description (last modified by johnjamesjacoby)
Problem
The output from do_settings_sections() and do_settings_fields() is not escaped while looping through the $wp_settings_fields global.
Unescaped Variables
- $section['title']
- $field['args']['label_for']
- $field['title']
Solutions
- Escape everything. We shouldn't expect anyone that's using add_settings_section() and add_settings_field() to pass already escaped output. Note that core does not escape it's own usage here.
- Escape nothing, and expect escaped input. This would require developer education to escape all of the things.
Patch Attached
Attached patch escapes all variable screen output.
Change History (2)
johnjamesjacoby — 7 months ago
comment:1
johnjamesjacoby — 7 months ago
- Description modified (diff)
Note: See
TracTickets for help on using
tickets.
