From daf168c0887609d14334987b6accd2263796e549 Mon Sep 17 00:00:00 2001 From: Andrew Ozz Date: Sun, 12 Jul 2020 19:59:00 +0000 Subject: [PATCH] Upgrade/Install: Use `wp_strip_all_tags()` for the fields in the compare table on the "Update theme/plugin from uploaded zip" screen. Some may contain HTML. See #9757. git-svn-id: https://develop.svn.wordpress.org/trunk@48453 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/includes/class-plugin-installer-skin.php | 8 ++++---- src/wp-admin/includes/class-theme-installer-skin.php | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/wp-admin/includes/class-plugin-installer-skin.php b/src/wp-admin/includes/class-plugin-installer-skin.php index af95f038e4..6a5cec123d 100644 --- a/src/wp-admin/includes/class-plugin-installer-skin.php +++ b/src/wp-admin/includes/class-plugin-installer-skin.php @@ -217,17 +217,17 @@ class Plugin_Installer_Skin extends WP_Upgrader_Skin { $is_same_plugin = true; // Let's consider only these rows. foreach ( $rows as $field => $label ) { - $old_value = ! empty( $current_plugin_data[ $field ] ) ? $current_plugin_data[ $field ] : '-'; - $new_value = ! empty( $this->upgrader->new_plugin_data[ $field ] ) ? $this->upgrader->new_plugin_data[ $field ] : '-'; + $old_value = ! empty( $current_plugin_data[ $field ] ) ? (string) $current_plugin_data[ $field ] : '-'; + $new_value = ! empty( $this->upgrader->new_plugin_data[ $field ] ) ? (string) $this->upgrader->new_plugin_data[ $field ] : '-'; $is_same_plugin = $is_same_plugin && ( $old_value === $new_value ); $diff_field = ( 'Version' !== $field && $new_value !== $old_value ); $diff_version = ( 'Version' === $field && $this->is_downgrading ); - $table .= '' . $label . '' . esc_html( $old_value ) . ''; + $table .= '' . $label . '' . wp_strip_all_tags( $old_value ) . ''; $table .= ( $diff_field || $diff_version ) ? '' : ''; - $table .= esc_html( $new_value ) . ''; + $table .= wp_strip_all_tags( $new_value ) . ''; } $table .= ''; diff --git a/src/wp-admin/includes/class-theme-installer-skin.php b/src/wp-admin/includes/class-theme-installer-skin.php index ecbd6a7408..f091029eed 100644 --- a/src/wp-admin/includes/class-theme-installer-skin.php +++ b/src/wp-admin/includes/class-theme-installer-skin.php @@ -241,9 +241,9 @@ class Theme_Installer_Skin extends WP_Upgrader_Skin { foreach ( $rows as $field => $label ) { $old_value = $current_theme_data->display( $field, false ); - $old_value = $old_value ? $old_value : '-'; + $old_value = $old_value ? (string) $old_value : '-'; - $new_value = ! empty( $this->upgrader->new_theme_data[ $field ] ) ? $this->upgrader->new_theme_data[ $field ] : '-'; + $new_value = ! empty( $this->upgrader->new_theme_data[ $field ] ) ? (string) $this->upgrader->new_theme_data[ $field ] : '-'; if ( $old_value === $new_value && '-' === $new_value && 'Template' === $field ) { continue; @@ -260,9 +260,9 @@ class Theme_Installer_Skin extends WP_Upgrader_Skin { $new_value .= ' ' . __( '(not found)' ); } - $table .= '' . $label . '' . esc_html( $old_value ) . ''; + $table .= '' . $label . '' . wp_strip_all_tags( $old_value ) . ''; $table .= ( $diff_field || $diff_version || $invalid_parent ) ? '' : ''; - $table .= esc_html( $new_value ) . ''; + $table .= wp_strip_all_tags( $new_value ) . ''; } $table .= '';