Ticket #58831: 58831.patch

src/wp-admin/includes/class-wp-screen.php

@@ -882 +882 @@
                                                         $panel_id = "tab-panel-{$tab['id']}";
                                                         ?>
 
-                                                        <li id="<?php echo esc_attr( $link_id ); ?>"<?php echo $class; ?>>
+                                                        <li id="<?php echo esc_attr( $link_id ); ?>"<?php echo esc_attr( $class ); ?>>
                                                                 <a href="<?php echo esc_url( "#$panel_id" ); ?>" aria-controls="<?php echo esc_attr( $panel_id ); ?>">
                                                                         <?php echo esc_html( $tab['title'] ); ?>
                                                                 </a>
@@ -896 +896 @@
 
                                         <?php if ( $help_sidebar ) : ?>
                                         <div class="contextual-help-sidebar">
-                                                <?php echo $help_sidebar; ?>
+                                                <?php echo esc_html( $help_sidebar ); ?>
                                         </div>
                                         <?php endif; ?>
 
@@ -907 +907 @@
                                                         $panel_id = "tab-panel-{$tab['id']}";
                                                         ?>
 
-                                                        <div id="<?php echo esc_attr( $panel_id ); ?>" class="<?php echo $classes; ?>">
+                                                        <div id="<?php echo esc_attr( $panel_id ); ?>" class="<?php echo esc_attr( $classes ); ?>">
                                                                 <?php
                                                                 // Print tab content.
-                                                                echo $tab['content'];
+                                                                echo esc_html( $tab['content'] );
 
                                                                 // If it exists, fire tab callback.
                                                                 if ( ! empty( $tab['callback'] ) ) {
@@ -1160 +1160 @@
                 $legend = ! empty( $columns['_title'] ) ? $columns['_title'] : __( 'Columns' );
                 ?>
                 <fieldset class="metabox-prefs">
-                <legend><?php echo $legend; ?></legend>
+                <legend><?php echo esc_html( $legend ); ?></legend>
                 <?php
                 $special = array( '_title', 'cb', 'comment', 'media', 'name', 'title', 'username', 'blogname' );
 
@@ -1183 +1183 @@
 
                         $id = "$column-hide";
                         echo '<label>';
-                        echo '<input class="hide-column-tog" name="' . $id . '" type="checkbox" id="' . $id . '" value="' . $column . '"' . checked( ! in_array( $column, $hidden, true ), true, false ) . ' />';
+                        echo '<input class="hide-column-tog" name="' . esc_attr( $id ) . '" type="checkbox" id="' . esc_attr( $id ) . '" value="' . esc_attr( $column ) . '"' . checked( ! in_array( $column, $hidden, true ), true, false ) . ' />';
                         echo "$title</label>\n";
                 }
                 ?>