Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#22327 closed defect (bug) (fixed)

Settings API output is not escaped

Reported by: johnjamesjacoby Owned by: ryan
Milestone: 3.5 Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch commit
Focuses: Cc:

Description (last modified by johnjamesjacoby)


The output from do_settings_sections() and do_settings_fields() is not escaped while looping through the $wp_settings_fields global.

Unescaped Variables

  • $section['title']
  • $field['args']['label_for']
  • $field['title']


  • Escape everything. We shouldn't expect anyone that's using add_settings_section() and add_settings_field() to pass already escaped output. Note that core does not escape it's own usage here.
  • Escape nothing, and expect escaped input. This would require developer education to escape all of the things.

Patch Attached

Attached patch escapes all variable screen output.

Attachments (2)

22327.patch (1.0 KB) - added by johnjamesjacoby 9 years ago.
22327.2.patch (597 bytes) - added by johnjamesjacoby 9 years ago.
esc_attr() only, to allow title's to include HTML

Download all attachments as: .zip

Change History (5)

#1 @johnjamesjacoby
9 years ago

  • Description modified (diff)

#2 @nacin
9 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 3.5

So, for things like programmatic values, we don't escape for security. Inner HTML should not be escaped. But, attributes should always be escaped to avoid breakage. So most of this looks great.

9 years ago

esc_attr() only, to allow title's to include HTML

#3 @ryan
9 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In 22373:

Use esc_attr() for attributes. Props johnjamesjacoby. fixes #22327

Note: See TracTickets for help on using tickets.