Settings API output still not escaped

[regodon]

I'm having a problem with do_settings_sections() not escaping or urlenconding double quotes so it generates broken HTML whenever a stored value contains double quotes.

I've seen these similar tickets:

#22327 (fixed)
#11253 (invalid)

[swissspidy]

Hi there and welcome to trac!

Can you share some steps to reproduce this, i.e. some sample code and values? Thanks in advance.

[regodon]

Hi Again,

It looks like I just needed to escape the field's value in the render callback function with esc_attr.:

<?php
add_settings_field('my_setting', 'My setting', 'my_setting_render', 'my_options_group', 'my_setting_section');
function my_setting_render() {
        $options = get_option('my_option_name');
        ?><input name='my_option_name[my_setting]' value="<?php echo esc_attr($options['my_setting']);?>">
        <?php
}

Not a real bug, sorry. But I find it would be useful if the Settings API had functions for rendering common form fields so developers doesn't have to create their own render functions for basic fields and deal with "low level" html. Should I create a new ticket with the feature request?

Thanks

[SergeyBiryukov]

Replying to regodon:

But I find it would be useful if the Settings API had functions for rendering common form fields so developers doesn't have to create their own render functions for basic fields and deal with "low level" html.

See #21488.