From aa4f24179e5f730f374bb4e90948977c50a3b86b Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Tue, 30 Aug 2022 15:39:45 +0000
Subject: [PATCH] Grouped backports to the 5.2 branch.

- Posts, Post Types: Escape output within `the_meta()`.
- General: Ensure bookmark query limits are numeric.
- Plugins: Escape output in error messages.
- Build/Test Tools: Allow the PHPCS plugin in Composer configuration.

Merges [52412,53958-53960] to the 5.2 branch.
Props tykoted, martinkrcho, xknown, dd32, peterwilsoncc, paulkevan, timothyblynjacobs.

Built from https://develop.svn.wordpress.org/branches/5.2@53971


git-svn-id: http://core.svn.wordpress.org/branches/5.2@53530 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/plugins.php          | 4 ++--
 wp-includes/bookmark.php      | 2 +-
 wp-includes/post-template.php | 7 ++++---
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/wp-admin/plugins.php b/wp-admin/plugins.php
index 916ded7b61..e8cba01503 100644
--- a/wp-admin/plugins.php
+++ b/wp-admin/plugins.php
@@ -486,7 +486,7 @@ if ( ! empty( $invalid ) ) {
 			/* translators: 1: plugin file, 2: error message */
 			__( 'The plugin %1$s has been <strong>deactivated</strong> due to an error: %2$s' ),
 			'<code>' . esc_html( $plugin_file ) . '</code>',
-			$error->get_error_message()
+			esc_html( $error->get_error_message() )
 		);
 		echo '</p></div>';
 	}
@@ -539,7 +539,7 @@ elseif ( isset( $_GET['deleted'] ) ) :
 
 	if ( is_wp_error( $delete_result ) ) :
 		?>
-		<div id="message" class="error notice is-dismissible"><p><?php printf( __( 'Plugin could not be deleted due to an error: %s' ), $delete_result->get_error_message() ); ?></p></div>
+		<div id="message" class="error notice is-dismissible"><p><?php printf( __( 'Plugin could not be deleted due to an error: %s' ), esc_html( $delete_result->get_error_message() ) ); ?></p></div>
 		<?php else : ?>
 		<div id="message" class="updated notice is-dismissible">
 			<p>
diff --git a/wp-includes/bookmark.php b/wp-includes/bookmark.php
index 32499541d4..4a7f8c7df8 100644
--- a/wp-includes/bookmark.php
+++ b/wp-includes/bookmark.php
@@ -292,7 +292,7 @@ function get_bookmarks( $args = '' ) {
 	$query .= " $exclusions $inclusions $search";
 	$query .= " ORDER BY $orderby $order";
 	if ( $r['limit'] != -1 ) {
-		$query .= ' LIMIT ' . $r['limit'];
+		$query .= ' LIMIT ' . absint( $r['limit'] );
 	}
 
 	$results = $wpdb->get_results( $query );
diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php
index 89a20525dd..fb2bb60992 100644
--- a/wp-includes/post-template.php
+++ b/wp-includes/post-template.php
@@ -1075,9 +1075,10 @@ function post_custom( $key = '' ) {
  *
  * @since 1.2.0
  *
- * @internal This will probably change at some point...
+ * @deprecated 6.0.2 Use get_post_meta() to retrieve post meta and render manually.
  */
 function the_meta() {
+	_deprecated_function( __FUNCTION__, '6.0.2', 'get_post_meta()' );
 	if ( $keys = get_post_custom_keys() ) {
 		$li_html = '';
 		foreach ( (array) $keys as $key ) {
@@ -1092,8 +1093,8 @@ function the_meta() {
 			$html = sprintf(
 				"<li><span class='post-meta-key'>%s</span> %s</li>\n",
 				/* translators: %s: Post custom field name */
-				sprintf( _x( '%s:', 'Post custom field name' ), $key ),
-				$value
+				esc_html( sprintf( _x( '%s:', 'Post custom field name' ), $key ) ),
+				esc_html( $value )
 			);
 
 			/**