From 769521ceae6b4df915b0b39db5a5492102ebab13 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Tue, 30 Aug 2022 15:28:32 +0000 Subject: [PATCH] Grouped backports to the 5.8 branch. - Posts, Post Types: Escape output within `the_meta()`. - General: Ensure bookmark query limits are numeric. - Plugins: Escape output in error messages. - Build/Test Tools: Allow the PHPCS plugin in Composer configuration. Merges [52412,53958-53960] to the 5.8 branch. Props tykoted, martinkrcho, xknown, dd32, peterwilsoncc, paulkevan, timothyblynjacobs. git-svn-id: https://develop.svn.wordpress.org/branches/5.8@53965 602fd350-edb4-49c9-b593-d223f7449a82 --- composer.json | 5 +++++ src/wp-admin/plugins.php | 4 ++-- src/wp-includes/bookmark.php | 2 +- src/wp-includes/post-template.php | 7 ++++--- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/composer.json b/composer.json index 430c1069eb..615b60866f 100644 --- a/composer.json +++ b/composer.json @@ -33,6 +33,11 @@ "vendor/phpunit/phpunit/src/Framework/MockObject/MockMethod.php" ] }, + "config": { + "allow-plugins": { + "dealerdirect/phpcodesniffer-composer-installer": true + } + }, "scripts": { "compat": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcs --standard=phpcompat.xml.dist --report=summary,source", "format": "@php ./vendor/squizlabs/php_codesniffer/bin/phpcbf --report=summary,source", diff --git a/src/wp-admin/plugins.php b/src/wp-admin/plugins.php index 70abe322ed..a41788ea8c 100644 --- a/src/wp-admin/plugins.php +++ b/src/wp-admin/plugins.php @@ -610,7 +610,7 @@ if ( ! empty( $invalid ) ) { /* translators: 1: Plugin file, 2: Error message. */ __( 'The plugin %1$s has been deactivated due to an error: %2$s' ), '' . esc_html( $plugin_file ) . '', - $error->get_error_message() + esc_html( $error->get_error_message() ) ); echo '

'; } @@ -674,7 +674,7 @@ elseif ( isset( $_GET['deleted'] ) ) : printf( /* translators: %s: Error message. */ __( 'Plugin could not be deleted due to an error: %s' ), - $delete_result->get_error_message() + esc_html( $delete_result->get_error_message() ) ); ?>

diff --git a/src/wp-includes/bookmark.php b/src/wp-includes/bookmark.php index f46ae93b54..cee56d7d21 100644 --- a/src/wp-includes/bookmark.php +++ b/src/wp-includes/bookmark.php @@ -307,7 +307,7 @@ function get_bookmarks( $args = '' ) { $query .= " $exclusions $inclusions $search"; $query .= " ORDER BY $orderby $order"; if ( -1 != $parsed_args['limit'] ) { - $query .= ' LIMIT ' . $parsed_args['limit']; + $query .= ' LIMIT ' . absint( $parsed_args['limit'] ); } $results = $wpdb->get_results( $query ); diff --git a/src/wp-includes/post-template.php b/src/wp-includes/post-template.php index 64df897518..242e5a592c 100644 --- a/src/wp-includes/post-template.php +++ b/src/wp-includes/post-template.php @@ -1088,9 +1088,10 @@ function post_custom( $key = '' ) { * * @since 1.2.0 * - * @internal This will probably change at some point... + * @deprecated 6.0.2 Use get_post_meta() to retrieve post meta and render manually. */ function the_meta() { + _deprecated_function( __FUNCTION__, '6.0.2', 'get_post_meta()' ); $keys = get_post_custom_keys(); if ( $keys ) { $li_html = ''; @@ -1106,8 +1107,8 @@ function the_meta() { $html = sprintf( "
  • %s %s
    • \n", /* translators: %s: Post custom field name. */ - sprintf( _x( '%s:', 'Post custom field name' ), $key ), - $value + esc_html( sprintf( _x( '%s:', 'Post custom field name' ), $key ) ), + esc_html( $value ) ); /**