Ticket #63071: 63071.2.patch

src/wp-admin/includes/class-wp-screen.php

@@ -896 +896 @@
 
                                         <?php if ( $help_sidebar ) : ?>
                                         <div class="contextual-help-sidebar">
-                                                <?php echo $help_sidebar; ?>
+                                                <?php echo wp_kses_post( $help_sidebar ); ?>
                                         </div>
                                         <?php endif; ?>
 
@@ -910 +910 @@
                                                         <div id="<?php echo esc_attr( $panel_id ); ?>" class="<?php echo $classes; ?>">
                                                                 <?php
                                                                 // Print tab content.
-                                                                echo $tab['content'];
+                                                                echo wp_kses_post( $tab['content'] );
 
                                                                 // If it exists, fire tab callback.
                                                                 if ( ! empty( $tab['callback'] ) ) {

src/wp-admin/includes/dashboard.php

@@ -435 +435 @@
         if ( ! empty( $actions ) ) :
                 ?>
         <div class="sub">
-                <?php echo $actions; ?>
+                <?php echo wp_kses_post( $actions ); ?>
         </div>
                 <?php
         endif;