Make WordPress Core


Ignore:
Timestamp:
07/12/2020 07:59:00 PM (4 years ago)
Author:
azaozz
Message:

Upgrade/Install: Use wp_strip_all_tags() for the fields in the compare table on the "Update theme/plugin from uploaded zip" screen. Some may contain HTML.

See #9757.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-plugin-installer-skin.php

    r48448 r48453  
    218218
    219219        foreach ( $rows as $field => $label ) {
    220             $old_value = ! empty( $current_plugin_data[ $field ] ) ? $current_plugin_data[ $field ] : '-';
    221             $new_value = ! empty( $this->upgrader->new_plugin_data[ $field ] ) ? $this->upgrader->new_plugin_data[ $field ] : '-';
     220            $old_value = ! empty( $current_plugin_data[ $field ] ) ? (string) $current_plugin_data[ $field ] : '-';
     221            $new_value = ! empty( $this->upgrader->new_plugin_data[ $field ] ) ? (string) $this->upgrader->new_plugin_data[ $field ] : '-';
    222222
    223223            $is_same_plugin = $is_same_plugin && ( $old_value === $new_value );
     
    226226            $diff_version = ( 'Version' === $field && $this->is_downgrading );
    227227
    228             $table .= '<tr><td class="name-label">' . $label . '</td><td>' . esc_html( $old_value ) . '</td>';
     228            $table .= '<tr><td class="name-label">' . $label . '</td><td>' . wp_strip_all_tags( $old_value ) . '</td>';
    229229            $table .= ( $diff_field || $diff_version ) ? '<td class="warning">' : '<td>';
    230             $table .= esc_html( $new_value ) . '</td></tr>';
     230            $table .= wp_strip_all_tags( $new_value ) . '</td></tr>';
    231231        }
    232232
Note: See TracChangeset for help on using the changeset viewer.