From 21ebdbcb745405de350f9dc570420b19c2b632d4 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Tue, 30 Aug 2022 15:14:26 +0000
Subject: [PATCH] Plugins: Escape output in error messages.

Props tykoted, paulkevan, peterwilsoncc.

git-svn-id: https://develop.svn.wordpress.org/trunk@53960 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/plugins.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-admin/plugins.php b/src/wp-admin/plugins.php
index 9a1945f6be..dd8f8679d8 100644
--- a/src/wp-admin/plugins.php
+++ b/src/wp-admin/plugins.php
@@ -612,7 +612,7 @@ if ( ! empty( $invalid ) ) {
 			/* translators: 1: Plugin file, 2: Error message. */
 			__( 'The plugin %1$s has been deactivated due to an error: %2$s' ),
 			'<code>' . esc_html( $plugin_file ) . '</code>',
-			$error->get_error_message()
+			esc_html( $error->get_error_message() )
 		);
 		echo '</p></div>';
 	}
@@ -676,7 +676,7 @@ elseif ( isset( $_GET['deleted'] ) ) :
 				printf(
 					/* translators: %s: Error message. */
 					__( 'Plugin could not be deleted due to an error: %s' ),
-					$delete_result->get_error_message()
+					esc_html( $delete_result->get_error_message() )
 				);
 				?>
 			</p>