Make WordPress Core

Opened 12 years ago

Closed 12 years ago

#22327 closed defect (bug) (fixed)

Settings API output is not escaped

Reported by: johnjamesjacoby's profile johnjamesjacoby Owned by: ryan's profile ryan
Milestone: 3.5 Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch commit
Focuses: Cc:

Description (last modified by johnjamesjacoby)


The output from do_settings_sections() and do_settings_fields() is not escaped while looping through the $wp_settings_fields global.

Unescaped Variables

  • $section['title']
  • $field['args']['label_for']
  • $field['title']


  • Escape everything. We shouldn't expect anyone that's using add_settings_section() and add_settings_field() to pass already escaped output. Note that core does not escape it's own usage here.
  • Escape nothing, and expect escaped input. This would require developer education to escape all of the things.

Patch Attached

Attached patch escapes all variable screen output.

Attachments (2)

22327.patch (1.0 KB) - added by johnjamesjacoby 12 years ago.
22327.2.patch (597 bytes) - added by johnjamesjacoby 12 years ago.
esc_attr() only, to allow title's to include HTML

Download all attachments as: .zip

Change History (5)

#1 @johnjamesjacoby
12 years ago

  • Description modified (diff)

#2 @nacin
12 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 3.5

So, for things like programmatic values, we don't escape for security. Inner HTML should not be escaped. But, attributes should always be escaped to avoid breakage. So most of this looks great.

12 years ago

esc_attr() only, to allow title's to include HTML

#3 @ryan
12 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In 22373:

Use esc_attr() for attributes. Props johnjamesjacoby. fixes #22327

Note: See TracTickets for help on using tickets.