Settings API output is not escaped — at Version 1
|Reported by:||johnjamesjacoby||Owned by:|
Description (last modified by johnjamesjacoby)
The output from do_settings_sections() and do_settings_fields() is not escaped while looping through the $wp_settings_fields global.
- Escape everything. We shouldn't expect anyone that's using add_settings_section() and add_settings_field() to pass already escaped output. Note that core does not escape it's own usage here.
- Escape nothing, and expect escaped input. This would require developer education to escape all of the things.
Attached patch escapes all variable screen output.
Change History (2)
Note: See TracTickets for help on using tickets.