[wp-trac] [WordPress Trac] #20125: Escape output in settings_errors
WordPress Trac
wp-trac at lists.automattic.com
Sun Feb 26 17:26:27 UTC 2012
#20125: Escape output in settings_errors
-------------------------+-----------------------------
Reporter: tollmanz | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.0
Severity: normal | Keywords: has-patch
-------------------------+-----------------------------
'''The Problem'''
The "settings_errors" function does not escape data when outputting it
from the $settings_errors variable, which either comes from the
$wp_settings_errors global variable or the "settings_errors" transient.
This data is not escaped at any point during retrieval or output.
Additionally, the data is not sanitized or validated when adding it via
"add_settings_error".
'''Test Case'''
In the validation callback function for a setting, adding a settings error
with HTML can badly break output:
{{{
add_settings_error( 'zdt-setting', '1023', 'An error occurred</div>' );
}}}
'''Solution'''
Escape the $type, $code, and $message variables on output.
'''Possible Issues'''
The $message variable is output wrapped in a 'p' and 'strong' tag. My
patch tries to allow common, reasonable tags to be output. I use
"wp_kses_data", which will only allow tags defined in the $allowedtags
variable. Should a plugin or theme author need another element printed
out, it will be stripped; however, there still is the potential that it
could cause issues for plugins that were previously able to place anything
in the $message variable. With that said, most other tags would lead to
invalid HTML and probably shouldn't be allowed in this context anyway.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20125>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list