Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#35528 closed defect (bug) (invalid)

Settings API output still not escaped

Reported by: regodon's profile regodon Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4.1
Component: Options, Meta APIs Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

I'm having a problem with do_settings_sections() not escaping or urlenconding double quotes so it generates broken HTML whenever a stored value contains double quotes.

I've seen these similar tickets:

#22327 (fixed)
#11253 (invalid)

Change History (4)

#1 @SergeyBiryukov
10 years ago

  • Component changed from General to Options, Meta APIs
  • Description modified (diff)

#2 @swissspidy
10 years ago

  • Keywords reporter-feedback added

Hi there and welcome to trac!

Can you share some steps to reproduce this, i.e. some sample code and values? Thanks in advance.

#3 follow-up: @regodon
10 years ago

Hi Again,

It looks like I just needed to escape the field's value in the render callback function with esc_attr.:

<?php
add_settings_field('my_setting', 'My setting', 'my_setting_render', 'my_options_group', 'my_setting_section');
function my_setting_render() {
        $options = get_option('my_option_name');
        ?><input name='my_option_name[my_setting]' value="<?php echo esc_attr($options['my_setting']);?>">
        <?php
}

Not a real bug, sorry. But I find it would be useful if the Settings API had functions for rendering common form fields so developers doesn't have to create their own render functions for basic fields and deal with "low level" html. Should I create a new ticket with the feature request?

Thanks

#4 in reply to: ↑ 3 @SergeyBiryukov
10 years ago

  • Keywords reporter-feedback removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Replying to regodon:

But I find it would be useful if the Settings API had functions for rendering common form fields so developers doesn't have to create their own render functions for basic fields and deal with "low level" html.

See #21488.

Note: See TracTickets for help on using tickets.