From a0a6262f178aa8f33f3ea6cb6f66dd7bdbd73b5b Mon Sep 17 00:00:00 2001
From: Andrew Ozz <azaozz@git.wordpress.org>
Date: Wed, 10 Aug 2016 19:02:09 +0000
Subject: [PATCH] Update/Install error messages: do not escape from the
 template, escape the error message string before inserting it.

Props swissspidy, ocean90.
Fixes #37623 for trunk.

git-svn-id: https://develop.svn.wordpress.org/trunk@38240 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/includes/update.php | 2 +-
 src/wp-admin/js/updates.js       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-admin/includes/update.php b/src/wp-admin/includes/update.php
index 3bc11d8954..74899e37cb 100644
--- a/src/wp-admin/includes/update.php
+++ b/src/wp-admin/includes/update.php
@@ -631,7 +631,7 @@ function maintenance_nag() {
 function wp_print_admin_notice_templates() {
 	?>
 	<script id="tmpl-wp-updates-admin-notice" type="text/html">
-		<div <# if ( data.id ) { #>id="{{ data.id }}"<# } #> class="notice {{ data.className }}"><p>{{ data.message }}</p></div>
+		<div <# if ( data.id ) { #>id="{{ data.id }}"<# } #> class="notice {{ data.className }}"><p>{{{ data.message }}}</p></div>
 	</script>
 	<script id="tmpl-wp-bulk-updates-admin-notice" type="text/html">
 		<div id="{{ data.id }}" class="{{ data.className }} notice <# if ( data.errors ) { #>notice-error<# } else { #>notice-success<# } #>">
diff --git a/src/wp-admin/js/updates.js b/src/wp-admin/js/updates.js
index ac6e2cf960..239829fe32 100644
--- a/src/wp-admin/js/updates.js
+++ b/src/wp-admin/js/updates.js
@@ -1608,7 +1608,7 @@
 		wp.updates.addAdminNotice( {
 			id:        'unknown_error',
 			className: 'notice-error is-dismissible',
-			message:   errorMessage
+			message:   _.escape( errorMessage )
 		} );
 
 		// Remove the lock, and clear the queue.