[wp-trac] [WordPress Trac] #20125: Escape output in settings_errors

WordPress Trac wp-trac at lists.automattic.com
Mon Feb 27 05:10:33 UTC 2012


#20125: Escape output in settings_errors
-------------------------+------------------------------
 Reporter:  tollmanz     |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  General      |     Version:  3.0
 Severity:  normal       |  Resolution:
 Keywords:  has-patch    |
-------------------------+------------------------------
Changes (by kurtpayne):

 * cc: kpayne@… (added)


Comment:

 Here's the way I'm reading this code / documentation:
 `add_settings_error` is expecting `$message` to contain pre-sanitized data
 and to be formatted exactly as the theme developer intends.

 The docs say this:

 {{{
  * @param string $message The formatted message text to display to the
 user (will be shown inside styled <div> and <p>)
 }}}

 I would argue that any user data being passed through this function should
 already be sanitized.

 {{{
 add_settings_error( 'zdt-setting', '1023', 'The value: ' . wp_kses_data(
 $val ) . ' is not allowed' );
 }}}

 Otherwise !WordPress should dump this data out directly.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/20125#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list