Wrong Escaping Function

[chintan1896]

Wrong Escaping Function Was Used in Plugin install File.

[Presskopp]

doesn't look like an error to me. This is the ​translation function used on several places for the same string

wp-admin/freedoms.php:94
wp-admin/includes/plugin-install.php:273
wp-admin/includes/plugin-install.php:700
wp-admin/plugin-install.php:89
wp-admin/plugins.php:550

[dimadin]

__() is function used for translation. In this case, we are allowing translators to change URL (to point to different language version of https://wordpress.org/plugins/, for example https://de.wordpress.org/plugins/, https://sr.wordpress.org/plugins/...).

Output of __() should be escaped. There are some functions that merge translating and escaping functions (esc_attr__(), esc_html__()...).

[henry.wright]

The src attribute value should be escaped. I understand the need to allow translators to change the URL to a different language but a better approach would be to make the URL filterable.

My proposal is this

1. Make the URL filterable and then
2. Escape the src attribute value

[aezazshekh]

Whenever we use URL in the href, it should always be written in the escaping function

[SergeyBiryukov]

Thanks for the patch!

As noted above, we can add esc_url() here, but the __() call should not be removed to allow for the URL to be translated. So I think something like this should work here:

<?php echo esc_url( __( 'https://wordpress.org/plugins/' ) . $api->slug ); ?>

[henry.wright]

+1 to the approach suggested by @SergeyBiryukov

[chintan1896]

Updated Patch

[SergeyBiryukov]

In 52419:

Plugins: Escape the WordPress.org plugin page URL in the Plugin Installation modal.

Follow-up to [8540], [38953].

Props chintan1896, Presskopp, dimadin, henry.wright, aezazshekh, SergeyBiryukov.
Fixes #54362.