[wp-trac] [WordPress Trac] #20125: Escape output in settings_errors
WordPress Trac
wp-trac at lists.automattic.com
Mon Feb 27 05:10:33 UTC 2012
#20125: Escape output in settings_errors
-------------------------+------------------------------
Reporter: tollmanz | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.0
Severity: normal | Resolution:
Keywords: has-patch |
-------------------------+------------------------------
Changes (by kurtpayne):
* cc: kpayne@… (added)
Comment:
Here's the way I'm reading this code / documentation:
`add_settings_error` is expecting `$message` to contain pre-sanitized data
and to be formatted exactly as the theme developer intends.
The docs say this:
{{{
* @param string $message The formatted message text to display to the
user (will be shown inside styled <div> and <p>)
}}}
I would argue that any user data being passed through this function should
already be sanitized.
{{{
add_settings_error( 'zdt-setting', '1023', 'The value: ' . wp_kses_data(
$val ) . ' is not allowed' );
}}}
Otherwise !WordPress should dump this data out directly.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20125#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list