Update/Install error messages: do not escape from the template, escape the error message string before inserting it.

Props swissspidy, ocean90. Fixes #37623 for trunk. Built from https://develop.svn.wordpress.org/trunk@38240 git-svn-id: http://core.svn.wordpress.org/trunk@38181 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-10 19:03:31 +00:00 · 2016-08-10 19:03:31 +00:00 · 0d4320fcbc
parent df97f83cb6
commit 0d4320fcbc
4 changed files with 4 additions and 4 deletions
--- a/wp-admin/includes/update.php
+++ b/wp-admin/includes/update.php
@ -631,7 +631,7 @@ function maintenance_nag() {
 function wp_print_admin_notice_templates() {
 	?>
 	<script id="tmpl-wp-updates-admin-notice" type="text/html">
-		<div <# if ( data.id ) { #>id="{{ data.id }}"<# } #> class="notice {{ data.className }}"><p>{{ data.message }}</p></div>
+		<div <# if ( data.id ) { #>id="{{ data.id }}"<# } #> class="notice {{ data.className }}"><p>{{{ data.message }}}</p></div>
 	</script>
 	<script id="tmpl-wp-bulk-updates-admin-notice" type="text/html">
 		<div id="{{ data.id }}" class="{{ data.className }} notice <# if ( data.errors ) { #>notice-error<# } else { #>notice-success<# } #>">
--- a/wp-admin/js/updates.js
+++ b/wp-admin/js/updates.js
@ -1608,7 +1608,7 @@
 		wp.updates.addAdminNotice( {
 			id:        'unknown_error',
 			className: 'notice-error is-dismissible',
-			message:   errorMessage
+			message:   _.escape( errorMessage )
 		} );

 		// Remove the lock, and clear the queue.
--- a/wp-admin/js/updates.min.js
+++ b/wp-admin/js/updates.min.js
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.7-alpha-38239';
+$wp_version = '4.7-alpha-38240';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.