From 6fa43a1d5b978d012ece561363be917e60224172 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Tue, 30 Aug 2022 15:13:46 +0000 Subject: [PATCH] Posts, Post Types: Escape output within `the_meta()`. Convert markup to entities when displaying on the front end. Deprecates `the_meta()` in favor of `get_post_meta()`. Props tykoted, martinkrcho, xknown, dd32, peterwilsoncc, paulkevan, timothyblynjacobs. git-svn-id: https://develop.svn.wordpress.org/trunk@53958 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/post-template.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/wp-includes/post-template.php b/src/wp-includes/post-template.php index 15d2777191..9f12a2aefb 100644 --- a/src/wp-includes/post-template.php +++ b/src/wp-includes/post-template.php @@ -1090,9 +1090,10 @@ function post_custom( $key = '' ) { * * @since 1.2.0 * - * @internal This will probably change at some point... + * @deprecated 6.0.2 Use get_post_meta() to retrieve post meta and render manually. */ function the_meta() { + _deprecated_function( __FUNCTION__, '6.0.2', 'get_post_meta()' ); $keys = get_post_custom_keys(); if ( $keys ) { $li_html = ''; @@ -1108,8 +1109,8 @@ function the_meta() { $html = sprintf( "
  • %s
  • \n", /* translators: %s: Post custom field name. */ - sprintf( _x( '%s:', 'Post custom field name' ), $key ), - $value + esc_html( sprintf( _x( '%s:', 'Post custom field name' ), $key ) ), + esc_html( $value ) ); /**