Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#22327 closed defect (bug)

Settings API output is not escaped — at Version 1

Reported by: johnjamesjacoby Owned by:
Milestone: 3.5 Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch commit
Focuses: Cc:

Description (last modified by johnjamesjacoby)


The output from do_settings_sections() and do_settings_fields() is not escaped while looping through the $wp_settings_fields global.

Unescaped Variables

  • $section['title']
  • $field['args']['label_for']
  • $field['title']


  • Escape everything. We shouldn't expect anyone that's using add_settings_section() and add_settings_field() to pass already escaped output. Note that core does not escape it's own usage here.
  • Escape nothing, and expect escaped input. This would require developer education to escape all of the things.

Patch Attached

Attached patch escapes all variable screen output.

Change History (2)

#1 @johnjamesjacoby
3 years ago

  • Description modified (diff)
Note: See TracTickets for help on using tickets.