kses filter fields when displaying
|Reported by:||ryan||Owned by:||ryan|
Currently, some DB fields are trusted when being displayed. Usually this is fine since everything is run through kses upon save. However, some recent attacks have manipulated DB values to cover their tracks, making DB information untrustworthy. Where possible, we should run values through kses not just upon save, but upon display as well. This would thwart the recent example where the first_name field was modified to contain JS that hid a bogus admin user.