do_settings_sections() doesn’t escape quotes

I’m using the Settings API on a custom settings page:

<form action='options.php' method='post'>
    <?php
    settings_fields('myplugin_settingsPage');
    do_settings_sections('myplugin_settingsPage' );
    submit_button();
    ?>
</form>

It’s a very simple simple settings page, with a few text input fields. The problem is, some of the fields’ values contain double quotes (for example, Jhon "cracy" Garcia), and it seems WordPress doesn’t escape this character. The value stored in the database seems ok, I’ve checked it. But, when you visit the settings page a second time, this is the HTML generated by WordPress:

<input name="myplugin_settingsPage[name]" value="Jhon "cracy" Garcia" size=40>

As you can see, the quotes aren’t being urlencoded so the generated HTML is broken. Am I doing something wrong? Is it a bug in WordPress?

I found the problem. You need to escape the values in the _render functions, using esc_attr, like this:

function my_setting_render() {
    $options = get_option('my_option_name');
    ?><input name="my_option_name[my_setting]" value="<?php echo esc_attr($options['my_setting']);?>">
    <?php

}