Make WordPress Core


Ignore:
Timestamp:
07/12/2020 07:59:00 PM (4 years ago)
Author:
azaozz
Message:

Upgrade/Install: Use wp_strip_all_tags() for the fields in the compare table on the "Update theme/plugin from uploaded zip" screen. Some may contain HTML.

See #9757.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-theme-installer-skin.php

    r48448 r48453  
    242242        foreach ( $rows as $field => $label ) {
    243243            $old_value = $current_theme_data->display( $field, false );
    244             $old_value = $old_value ? $old_value : '-';
    245 
    246             $new_value = ! empty( $this->upgrader->new_theme_data[ $field ] ) ? $this->upgrader->new_theme_data[ $field ] : '-';
     244            $old_value = $old_value ? (string) $old_value : '-';
     245
     246            $new_value = ! empty( $this->upgrader->new_theme_data[ $field ] ) ? (string) $this->upgrader->new_theme_data[ $field ] : '-';
    247247
    248248            if ( $old_value === $new_value && '-' === $new_value && 'Template' === $field ) {
     
    261261            }
    262262
    263             $table .= '<tr><td class="name-label">' . $label . '</td><td>' . esc_html( $old_value ) . '</td>';
     263            $table .= '<tr><td class="name-label">' . $label . '</td><td>' . wp_strip_all_tags( $old_value ) . '</td>';
    264264            $table .= ( $diff_field || $diff_version || $invalid_parent ) ? '<td class="warning">' : '<td>';
    265             $table .= esc_html( $new_value ) . '</td></tr>';
     265            $table .= wp_strip_all_tags( $new_value ) . '</td></tr>';
    266266        }
    267267
Note: See TracChangeset for help on using the changeset viewer.