Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#35528 closed defect (bug) (invalid)

Settings API output still not escaped

Reported by: regodon's profile regodon Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4.1
Component: Options, Meta APIs Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

I'm having a problem with do_settings_sections() not escaping or urlenconding double quotes so it generates broken HTML whenever a stored value contains double quotes.

I've seen these similar tickets:

#22327 (fixed)
#11253 (invalid)

Change History (4)

#1 @SergeyBiryukov
9 years ago

  • Component changed from General to Options, Meta APIs
  • Description modified (diff)

#2 @swissspidy
9 years ago

  • Keywords reporter-feedback added

Hi there and welcome to trac!

Can you share some steps to reproduce this, i.e. some sample code and values? Thanks in advance.

#3 follow-up: @regodon
9 years ago

Hi Again,

It looks like I just needed to escape the field's value in the render callback function with esc_attr.:

<?php
add_settings_field('my_setting', 'My setting', 'my_setting_render', 'my_options_group', 'my_setting_section');
function my_setting_render() {
        $options = get_option('my_option_name');
        ?><input name='my_option_name[my_setting]' value="<?php echo esc_attr($options['my_setting']);?>">
        <?php
}

Not a real bug, sorry. But I find it would be useful if the Settings API had functions for rendering common form fields so developers doesn't have to create their own render functions for basic fields and deal with "low level" html. Should I create a new ticket with the feature request?

Thanks

#4 in reply to: ↑ 3 @SergeyBiryukov
9 years ago

  • Keywords reporter-feedback removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Replying to regodon:

But I find it would be useful if the Settings API had functions for rendering common form fields so developers doesn't have to create their own render functions for basic fields and deal with "low level" html.

See #21488.

Note: See TracTickets for help on using tickets.