Changeset 38241

Timestamp:

08/10/2016 07:05:02 PM (7 years ago)

Author:

azaozz

Message:

Update/Install error messages: do not escape from the template, escape the error message string before inserting it.

Props swissspidy, ocean90.
Fixes #37623 for 4.6.

Location:

branches/4.6/src/wp-admin

Files:

• includes/update.php (modified) (1 diff)
• js/updates.js (modified) (1 diff)

branches/4.6/src/wp-admin/includes/update.php

@@ -632 +632 @@
     ?>
     <script id="tmpl-wp-updates-admin-notice" type="text/html">
-        <div <# if ( data.id ) { #>id="{{ data.id }}"<# } #> class="notice {{ data.className }}"><p>{{ data.message }}</p></div>
+        <div <# if ( data.id ) { #>id="{{ data.id }}"<# } #> class="notice {{ data.className }}"><p>{{{ data.message }}}</p></div>
     </script>
     <script id="tmpl-wp-bulk-updates-admin-notice" type="text/html">

branches/4.6/src/wp-admin/js/updates.js

@@ -1609 +1609 @@
             id:        'unknown_error',
             className: 'notice-error is-dismissible',
-            message:   errorMessage
+            message:   _.escape( errorMessage )
         } );