Sanitize plugin update information

[Viper007Bond]

See ​wp-hackers discussion.

The update data retrieved from WP.org is trusted to be safe and HTML encoded. We shouldn't make this assumption, plus we should to kses the plugin's name.

Attached is a proposed patch. Seems to work okay.

[Denis-de-Bernardy]

+1 to that. See also #7875

[hakre]

+1. putput should be properly encoded / formatted! this is security related and solved, so please fix.

[DD32]

This is also useful for if anyone decides to implement their own version checking, While WordPress trusts WordPress.org, It might not be the case that a non-dot-org update checker may not be as nice..

[hakre]

The patch is pretty old, I will create an update. attr() should be used.

[hakre]

Patch against 2.8 bleeding

[hakre]

wp_nonce_url did not need the attr()

[hakre]

#5422 fixed, kses added as well.

[Denis-de-Bernardy]

patch applies cleanly. clean_url should be used on the urls. else good to go imo.

[Denis-de-Bernardy]

patch is broken

[hakre]

Fixed Patch

[hakre]

Please Check.

[ryan]

(In [11258]) Sanitize plugin update information. Props hakre, Viper007Bond. fixes #5422

[hakre]

Some Fix for invalid entities and little code cleanup.

[hakre]

Some Fix for invalid entities and little code cleanup.

[hakre]

& were not properly handeled. wp_nonce_url does not need it in input and the other three urls needed a esc_attr() to have them.

[Denis-de-Bernardy]

shouldn't clean_url() be used here, rather?

[hakre]

clean_url() can be used, esc_attr() does the job as well: see #9432 .

[azaozz]

(In [11376]) Sanitize plugin update information, props hakre, fixes #5422