Update/Install error messages: do not escape from the template, escape the error message string before inserting it.

Props swissspidy, ocean90. Fixes #37623 for trunk. git-svn-id: https://develop.svn.wordpress.org/trunk@38240 602fd350-edb4-49c9-b593-d223f7449a82
2016-08-10 19:02:09 +00:00 · 2016-08-10 19:02:09 +00:00 · a0a6262f17
commit a0a6262f17
parent a9717f8ef0
2 changed files with 2 additions and 2 deletions
--- a/src/wp-admin/includes/update.php
+++ b/src/wp-admin/includes/update.php
@ -631,7 +631,7 @@ function maintenance_nag() {
 function wp_print_admin_notice_templates() {
 	?>
 	<script id="tmpl-wp-updates-admin-notice" type="text/html">
-		<div <# if ( data.id ) { #>id="{{ data.id }}"<# } #> class="notice {{ data.className }}"><p>{{ data.message }}</p></div>
+		<div <# if ( data.id ) { #>id="{{ data.id }}"<# } #> class="notice {{ data.className }}"><p>{{{ data.message }}}</p></div>
 	</script>
 	<script id="tmpl-wp-bulk-updates-admin-notice" type="text/html">
 		<div id="{{ data.id }}" class="{{ data.className }} notice <# if ( data.errors ) { #>notice-error<# } else { #>notice-success<# } #>">
--- a/src/wp-admin/js/updates.js
+++ b/src/wp-admin/js/updates.js
@ -1608,7 +1608,7 @@
 		wp.updates.addAdminNotice( {
 			id:        'unknown_error',
 			className: 'notice-error is-dismissible',
-			message:   errorMessage
+			message:   _.escape( errorMessage )
 		} );

 		// Remove the lock, and clear the queue.