[wp-trac] [WordPress Trac] #22327: Settings API output is not escaped

WordPress Trac noreply at wordpress.org
Tue Oct 30 23:14:28 UTC 2012


#22327: Settings API output is not escaped
------------------------------+------------------
 Reporter:  johnjamesjacoby   |       Owner:
     Type:  defect (bug)      |      Status:  new
 Priority:  normal            |   Milestone:  3.5
Component:  Administration    |     Version:
 Severity:  normal            |  Resolution:
 Keywords:  has-patch commit  |
------------------------------+------------------
Changes (by nacin):

 * keywords:  has-patch => has-patch commit
 * milestone:  Awaiting Review => 3.5


Comment:

 So, for things like programmatic values, we don't escape for security.
 Inner HTML should not be escaped. But, attributes should always be escaped
 to avoid breakage. So most of this looks great.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/22327#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list