From a48f01b3c4eaec67e5ac1ed9a721a8fe9e6381a4 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Tue, 30 Aug 2022 15:46:22 +0000
Subject: [PATCH] Grouped backports to the 4.7 branch.

- Posts, Post Types: Escape output within `the_meta()`.
- General: Ensure bookmark query limits are numeric.
- Plugins: Escape output in error messages.

Merges [53958-53960] to the 4.7 branch.
Props tykoted, martinkrcho, xknown, dd32, peterwilsoncc, paulkevan, timothyblynjacobs.

Built from https://develop.svn.wordpress.org/branches/4.7@53976


git-svn-id: http://core.svn.wordpress.org/branches/4.7@53535 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/plugins.php          | 4 ++--
 wp-includes/bookmark.php      | 2 +-
 wp-includes/post-template.php | 6 +++---
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/wp-admin/plugins.php b/wp-admin/plugins.php
index 28e9f0737e..ced46664d8 100644
--- a/wp-admin/plugins.php
+++ b/wp-admin/plugins.php
@@ -437,7 +437,7 @@ if ( ! empty( $invalid ) ) {
 			/* translators: 1: plugin file 2: error message */
 			__( 'The plugin %1$s has been <strong>deactivated</strong> due to an error: %2$s' ),
 			'<code>' . esc_html( $plugin_file ) . '</code>',
-			$error->get_error_message() );
+			esc_html( $error->get_error_message() ) );
 		echo '</p></div>';
 	}
 }
@@ -472,7 +472,7 @@ if ( ! empty( $invalid ) ) {
 		delete_transient( 'plugins_delete_result_' . $user_ID );
 
 		if ( is_wp_error($delete_result) ) : ?>
-		<div id="message" class="error notice is-dismissible"><p><?php printf( __('Plugin could not be deleted due to an error: %s'), $delete_result->get_error_message() ); ?></p></div>
+		<div id="message" class="error notice is-dismissible"><p><?php printf( __('Plugin could not be deleted due to an error: %s'), esc_html( $delete_result->get_error_message() ) ); ?></p></div>
 		<?php else : ?>
 		<div id="message" class="updated notice is-dismissible">
 			<p>
diff --git a/wp-includes/bookmark.php b/wp-includes/bookmark.php
index 718760be98..798b535c72 100644
--- a/wp-includes/bookmark.php
+++ b/wp-includes/bookmark.php
@@ -282,7 +282,7 @@ function get_bookmarks( $args = '' ) {
 	$query .= " $exclusions $inclusions $search";
 	$query .= " ORDER BY $orderby $order";
 	if ( $r['limit'] != -1 ) {
-		$query .= ' LIMIT ' . $r['limit'];
+		$query .= ' LIMIT ' . absint( $r['limit'] );
 	}
 
 	$results = $wpdb->get_results( $query );
diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php
index 79002ff9ca..b7a53e538e 100644
--- a/wp-includes/post-template.php
+++ b/wp-includes/post-template.php
@@ -994,10 +994,10 @@ function post_custom( $key = '' ) {
  *
  * @since 1.2.0
  *
- * @internal This will probably change at some point...
- *
+ * @deprecated 6.0.2 Use get_post_meta() to retrieve post meta and render manually.
  */
 function the_meta() {
+	_deprecated_function( __FUNCTION__, '6.0.2', 'get_post_meta()' );
 	if ( $keys = get_post_custom_keys() ) {
 		echo "<ul class='post-meta'>\n";
 		foreach ( (array) $keys as $key ) {
@@ -1016,7 +1016,7 @@ function the_meta() {
 			 * @param string $key   Meta key.
 			 * @param string $value Meta value.
 			 */
-			echo apply_filters( 'the_meta_key', "<li><span class='post-meta-key'>$key:</span> $value</li>\n", $key, $value );
+			echo apply_filters( 'the_meta_key', "<li><span class='post-meta-key'>" . esc_html( $key ) . ":</span>" . esc_html( $value ) . "</li>\n", $key, $value );
 		}
 		echo "</ul>\n";
 	}