From 8d19b10d666e7dbb9b6aff63d936c8e1c9057457 Mon Sep 17 00:00:00 2001
From: Ryan Boren <ryan@git.wordpress.org>
Date: Mon, 11 May 2009 04:50:36 +0000
Subject: [PATCH] Sanitize plugin update information. Props hakre,
 Viper007Bond. fixes #5422

git-svn-id: https://develop.svn.wordpress.org/trunk@11258 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-admin/includes/update.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/wp-admin/includes/update.php b/wp-admin/includes/update.php
index e0ccf1562a..b487f5d284 100644
--- a/wp-admin/includes/update.php
+++ b/wp-admin/includes/update.php
@@ -152,15 +152,18 @@ function wp_plugin_update_row( $file, $plugin_data ) {
 
 	$r = $current->response[ $file ];
 
+	$plugins_allowedtags = array('a' => array('href' => array(),'title' => array()),'abbr' => array('title' => array()),'acronym' => array('title' => array()),'code' => array(),'em' => array(),'strong' => array());
+	$plugin_name = wp_kses( $plugin_data['Name'], $plugins_allowedtags );
+		
 	$details_url = admin_url('plugin-install.php?tab=plugin-information&plugin=' . $r->slug . '&TB_iframe=true&width=600&height=800');
 
 	echo '<tr><td colspan="5" class="plugin-update">';
 	if ( ! current_user_can('update_plugins') )
-		printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%1$s">View version %3$s Details</a>.'), $plugin_data['Name'], $details_url, $r->new_version);
+		printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a>.'), $plugin_name, $details_url, esc_attr($plugin_name), $r->new_version);
 	else if ( empty($r->package) )
-		printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%1$s">View version %3$s Details</a> <em>automatic upgrade unavailable for this plugin</em>.'), $plugin_data['Name'], $details_url, $r->new_version);
+		printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a> <em>automatic upgrade unavailable for this plugin</em>.'), $plugin_name, $details_url, esc_attr($plugin_name), $r->new_version);
 	else
-		printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%1$s">View version %3$s Details</a> or <a href="%4$s">upgrade automatically</a>.'), $plugin_data['Name'], $details_url, $r->new_version, wp_nonce_url('update.php?action=upgrade-plugin&amp;plugin=' . $file, 'upgrade-plugin_' . $file) );
+		printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a> or <a href="%5$s">upgrade automatically</a>.'), $details_url, $r->new_version, $plugin_nameesc_attr($plugin_name), wp_nonce_url('update.php?action=upgrade-plugin&amp;plugin=' . $file, 'upgrade-plugin_' . $file) );
 	
 	do_action( "in_plugin_update_message-$file", $plugin_data, $r );