From f61e5ec2e525b978ffb992437ce2c048ae8832c6 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Tue, 30 Aug 2022 15:17:21 +0000
Subject: [PATCH] Posts, Post Types: Escape output within `the_meta()`.

Convert markup to entities when displaying on the front end. Deprecates `the_meta()` in favor of `get_post_meta()`.

Props tykoted, martinkrcho, xknown, dd32, peterwilsoncc, paulkevan, timothyblynjacobs.
Merges [53958] to the 6.0 branch.

git-svn-id: https://develop.svn.wordpress.org/branches/6.0@53961 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/post-template.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/wp-includes/post-template.php b/src/wp-includes/post-template.php
index ccb13c99b5..1c01eea83b 100644
--- a/src/wp-includes/post-template.php
+++ b/src/wp-includes/post-template.php
@@ -1088,9 +1088,10 @@ function post_custom( $key = '' ) {
  *
  * @since 1.2.0
  *
- * @internal This will probably change at some point...
+ * @deprecated 6.0.2 Use get_post_meta() to retrieve post meta and render manually.
  */
 function the_meta() {
+	_deprecated_function( __FUNCTION__, '6.0.2', 'get_post_meta()' );
 	$keys = get_post_custom_keys();
 	if ( $keys ) {
 		$li_html = '';
@@ -1106,8 +1107,8 @@ function the_meta() {
 			$html = sprintf(
 				"<li><span class='post-meta-key'>%s</span> %s</li>\n",
 				/* translators: %s: Post custom field name. */
-				sprintf( _x( '%s:', 'Post custom field name' ), $key ),
-				$value
+				esc_html( sprintf( _x( '%s:', 'Post custom field name' ), $key ) ),
+				esc_html( $value )
 			);
 
 			/**