From d050700d628ad120b5e144759828757e9068cec4 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Tue, 30 Aug 2022 15:33:59 +0000 Subject: [PATCH] Grouped backports to the 5.6 branch. - Posts, Post Types: Escape output within `the_meta()`. - General: Ensure bookmark query limits are numeric. - Plugins: Escape output in error messages. - Build/Test Tools: Allow the PHPCS plugin in Composer configuration. Merges [52412,53958-53960] to the 5.6 branch. Props tykoted, martinkrcho, xknown, dd32, peterwilsoncc, paulkevan, timothyblynjacobs. Built from https://develop.svn.wordpress.org/branches/5.6@53967 git-svn-id: http://core.svn.wordpress.org/branches/5.6@53526 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/plugins.php | 4 ++-- wp-includes/bookmark.php | 2 +- wp-includes/post-template.php | 7 ++++--- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/wp-admin/plugins.php b/wp-admin/plugins.php index d8f909a7da..444700acc4 100644 --- a/wp-admin/plugins.php +++ b/wp-admin/plugins.php @@ -610,7 +610,7 @@ if ( ! empty( $invalid ) ) { /* translators: 1: Plugin file, 2: Error message. */ __( 'The plugin %1$s has been deactivated due to an error: %2$s' ), '' . esc_html( $plugin_file ) . '', - $error->get_error_message() + esc_html( $error->get_error_message() ) ); echo '

'; } @@ -672,7 +672,7 @@ elseif ( isset( $_GET['deleted'] ) ) : printf( /* translators: %s: Error message. */ __( 'Plugin could not be deleted due to an error: %s' ), - $delete_result->get_error_message() + esc_html( $delete_result->get_error_message() ) ); ?>

diff --git a/wp-includes/bookmark.php b/wp-includes/bookmark.php index b9cfc63765..feb2c981c0 100644 --- a/wp-includes/bookmark.php +++ b/wp-includes/bookmark.php @@ -307,7 +307,7 @@ function get_bookmarks( $args = '' ) { $query .= " $exclusions $inclusions $search"; $query .= " ORDER BY $orderby $order"; if ( -1 != $parsed_args['limit'] ) { - $query .= ' LIMIT ' . $parsed_args['limit']; + $query .= ' LIMIT ' . absint( $parsed_args['limit'] ); } $results = $wpdb->get_results( $query ); diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php index 0aff64d119..ec60f5d20c 100644 --- a/wp-includes/post-template.php +++ b/wp-includes/post-template.php @@ -1086,9 +1086,10 @@ function post_custom( $key = '' ) { * * @since 1.2.0 * - * @internal This will probably change at some point... + * @deprecated 6.0.2 Use get_post_meta() to retrieve post meta and render manually. */ function the_meta() { + _deprecated_function( __FUNCTION__, '6.0.2', 'get_post_meta()' ); $keys = get_post_custom_keys(); if ( $keys ) { $li_html = ''; @@ -1104,8 +1105,8 @@ function the_meta() { $html = sprintf( "
  • %s %s
    • \n", /* translators: %s: Post custom field name. */ - sprintf( _x( '%s:', 'Post custom field name' ), $key ), - $value + esc_html( sprintf( _x( '%s:', 'Post custom field name' ), $key ) ), + esc_html( $value ) ); /**