[wp-trac] [WordPress Trac] #22327: Settings API output is not escaped
WordPress Trac
noreply at wordpress.org
Tue Oct 30 23:05:45 UTC 2012
#22327: Settings API output is not escaped
-----------------------------+------------------------------
Reporter: johnjamesjacoby | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version:
Severity: normal | Resolution:
Keywords: has-patch |
-----------------------------+------------------------------
Description changed by johnjamesjacoby:
Old description:
> '''Problem'''
>
> The output from do_settings_sections() and do_settings_fields() is not
> escaped while looping through the $wp_settings_fields global.
>
> ----
>
> '''Unescaped Variables'''
>
> * $section['title']
> * $field['args']['label_for']
> * $field['title']
>
> ----
>
> '''Solutions'''
>
> * Escape everything. We shouldn't expect anyone that's using
> add_settings_section() and add_settings_field() to pass already escaped
> output. Note that core does not escape it's own usage here.
> * Escape nothing, and expect escaped input. This would require developer
> education to escape all of the things.
>
> ----
>
> '''Patch Attached'''
>
> Attached patch escapes all variable screen output.
New description:
'''Problem'''
The output from do_settings_sections() and do_settings_fields() is not
escaped while looping through the $wp_settings_fields global.
----
'''Unescaped Variables'''
* $section!['title']
* $field!['args']!['label_for']
* $field!['title']
----
'''Solutions'''
* Escape everything. We shouldn't expect anyone that's using
add_settings_section() and add_settings_field() to pass already escaped
output. Note that core does not escape it's own usage here.
* Escape nothing, and expect escaped input. This would require developer
education to escape all of the things.
----
'''Patch Attached'''
Attached patch escapes all variable screen output.
--
--
Ticket URL: <http://core.trac.wordpress.org/ticket/22327#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list