Opened 12 years ago
Closed 12 years ago
#22327 closed defect (bug) (fixed)
Settings API output is not escaped
Reported by: | johnjamesjacoby | Owned by: | ryan |
---|---|---|---|
Milestone: | 3.5 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Administration | Keywords: | has-patch commit |
Focuses: | Cc: |
Description (last modified by )
Problem
The output from do_settings_sections() and do_settings_fields() is not escaped while looping through the $wp_settings_fields global.
Unescaped Variables
- $section['title']
- $field['args']['label_for']
- $field['title']
Solutions
- Escape everything. We shouldn't expect anyone that's using add_settings_section() and add_settings_field() to pass already escaped output. Note that core does not escape it's own usage here.
- Escape nothing, and expect escaped input. This would require developer education to escape all of the things.
Patch Attached
Attached patch escapes all variable screen output.
Attachments (2)
Change History (5)
Note: See
TracTickets for help on using
tickets.
So, for things like programmatic values, we don't escape for security. Inner HTML should not be escaped. But, attributes should always be escaped to avoid breakage. So most of this looks great.