Escape the output in U2F admin settings screen

[henryk]

Currently no escaping is done when outputting (the only) user-supplied data, leading to a trivial XSS vulnerability (albeit with limited impact). To test, try entering something like

http://foo'><b>Foo</b>

into the appid field and save. This commit fixes that.

[henryk]

I went through the code and have two other security-related annotations (not quite issues, so I didn't want to open actual issues):

• https://github.com/Yubico/wordpress-u2f/blob/master/u2f.php#L243 should probably use http://codex.wordpress.org/Function_Reference/wp_send_json but that will limit you to Wordpress 3.5.0 and up. Not sure which versions currently are supported, so I didn't want to change that.
• I'm very troubled by https://github.com/Yubico/wordpress-u2f/blob/master/u2f.php#L350 since this will output the user password in the clear back to the user's browser. I'm not sure how caching behaves in this instance, but it seems generically like a bad idea[tm]. There's no other web application on the planet that will pre-populate password fields when re-showing a form and that's for a reason. If at all possible you should try to find another way to achieve functionality.

[doherty]

Using wp_send_json changes the response content-type header. It seems like that causes an iframe (where does it come from?) to not get loaded. That iframe appears to be how the u2f js library gets loaded. Anyways, you can't just swap in wp_send_json trivially.

[minisu]

Thanks for the contributions. Since a more complete U2F plugin has appeared, we have decided to (at least temporarily) discontinue this plugin.