From 60284ca7516e31ebbefa4875772e687e42a90a8f Mon Sep 17 00:00:00 2001
From: Jb Audras <audrasjb@git.wordpress.org>
Date: Fri, 5 Aug 2022 06:10:04 +0000
Subject: [PATCH] Coding standards: Properly escape URLs returned by
 `self_admin_url()` calls.

This address some other echoed instances missed by [53839].

Fixes #56329.


git-svn-id: https://develop.svn.wordpress.org/trunk@53840 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/includes/plugin-install.php | 2 +-
 src/wp-admin/update-core.php             | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/wp-admin/includes/plugin-install.php b/src/wp-admin/includes/plugin-install.php
index cc2294ee5a..61bc77fb7e 100644
--- a/src/wp-admin/includes/plugin-install.php
+++ b/src/wp-admin/includes/plugin-install.php
@@ -827,7 +827,7 @@ function install_plugin_information() {
 			printf(
 				/* translators: %s: URL to WordPress Updates screen. */
 				' ' . __( '<a href="%s" target="_parent">Click here to update WordPress</a>.' ),
-				self_admin_url( 'update-core.php' )
+				esc_url( self_admin_url( 'update-core.php' ) )
 			);
 		}
 		echo '</p></div>';
diff --git a/src/wp-admin/update-core.php b/src/wp-admin/update-core.php
index d4509763b3..087d314fc6 100644
--- a/src/wp-admin/update-core.php
+++ b/src/wp-admin/update-core.php
@@ -686,7 +686,7 @@ function list_theme_updates() {
 				$compat .= sprintf(
 					/* translators: 1: URL to WordPress Updates screen, 2: URL to Update PHP page. */
 					__( '<a href="%1$s">Please update WordPress</a>, and then <a href="%2$s">learn more about updating PHP</a>.' ),
-					self_admin_url( 'update-core.php' ),
+					esc_url( self_admin_url( 'update-core.php' ) ),
 					esc_url( wp_get_update_php_url() )
 				);
 
@@ -699,7 +699,7 @@ function list_theme_updates() {
 				$compat .= sprintf(
 					/* translators: %s: URL to WordPress Updates screen. */
 					__( '<a href="%s">Please update WordPress</a>.' ),
-					self_admin_url( 'update-core.php' )
+					esc_url( self_admin_url( 'update-core.php' ) )
 				);
 			} elseif ( current_user_can( 'update_php' ) ) {
 				$compat .= sprintf(
@@ -720,7 +720,7 @@ function list_theme_updates() {
 				$compat .= sprintf(
 					/* translators: %s: URL to WordPress Updates screen. */
 					__( '<a href="%s">Please update WordPress</a>.' ),
-					self_admin_url( 'update-core.php' )
+					esc_url( self_admin_url( 'update-core.php' ) )
 				);
 			}
 		} elseif ( ! $compatible_php ) {