From 19da2c8b959e7904c552f47d7506251dd9c340f0 Mon Sep 17 00:00:00 2001 From: ryan Date: Mon, 11 May 2009 04:50:36 +0000 Subject: [PATCH] Sanitize plugin update information. Props hakre, Viper007Bond. fixes #5422 git-svn-id: http://svn.automattic.com/wordpress/trunk@11258 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/update.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/wp-admin/includes/update.php b/wp-admin/includes/update.php index e0ccf1562a..b487f5d284 100644 --- a/wp-admin/includes/update.php +++ b/wp-admin/includes/update.php @@ -152,15 +152,18 @@ function wp_plugin_update_row( $file, $plugin_data ) { $r = $current->response[ $file ]; + $plugins_allowedtags = array('a' => array('href' => array(),'title' => array()),'abbr' => array('title' => array()),'acronym' => array('title' => array()),'code' => array(),'em' => array(),'strong' => array()); + $plugin_name = wp_kses( $plugin_data['Name'], $plugins_allowedtags ); + $details_url = admin_url('plugin-install.php?tab=plugin-information&plugin=' . $r->slug . '&TB_iframe=true&width=600&height=800'); echo ''; if ( ! current_user_can('update_plugins') ) - printf( __('There is a new version of %1$s available. View version %3$s Details.'), $plugin_data['Name'], $details_url, $r->new_version); + printf( __('There is a new version of %1$s available. View version %4$s Details.'), $plugin_name, $details_url, esc_attr($plugin_name), $r->new_version); else if ( empty($r->package) ) - printf( __('There is a new version of %1$s available. View version %3$s Details automatic upgrade unavailable for this plugin.'), $plugin_data['Name'], $details_url, $r->new_version); + printf( __('There is a new version of %1$s available. View version %4$s Details automatic upgrade unavailable for this plugin.'), $plugin_name, $details_url, esc_attr($plugin_name), $r->new_version); else - printf( __('There is a new version of %1$s available. View version %3$s Details or upgrade automatically.'), $plugin_data['Name'], $details_url, $r->new_version, wp_nonce_url('update.php?action=upgrade-plugin&plugin=' . $file, 'upgrade-plugin_' . $file) ); + printf( __('There is a new version of %1$s available. View version %4$s Details or upgrade automatically.'), $details_url, $r->new_version, $plugin_nameesc_attr($plugin_name), wp_nonce_url('update.php?action=upgrade-plugin&plugin=' . $file, 'upgrade-plugin_' . $file) ); do_action( "in_plugin_update_message-$file", $plugin_data, $r );