Users: Add missing escaping on the Add New User screen.

While the `$type` and `$label` variables are set to values that do not currently require escaping, this may change in the future, so it is preferable to add the escaping as a defensive coding measure. Follow-up to [16294], [29030]. Props monzuralam, rudlinkon, hztyfoon, peterwilsoncc. Fixes #57133. Built from https://develop.svn.wordpress.org/trunk@54857 git-svn-id: http://core.svn.wordpress.org/trunk@54409 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-11-18 15:21:15 +00:00 · 2022-11-18 15:21:15 +00:00 · 513a8dc17f
parent 95828a9077
commit 513a8dc17f
2 changed files with 3 additions and 3 deletions
--- a/wp-admin/user-new.php
+++ b/wp-admin/user-new.php
@ -442,8 +442,8 @@ if ( is_multisite() && current_user_can( 'promote_users' ) ) {

 <table class="form-table" role="presentation">
 	<tr class="form-field form-required">
-		<th scope="row"><label for="adduser-email"><?php echo $label; ?></label></th>
-		<td><input name="email" type="<?php echo $type; ?>" id="adduser-email" class="wp-suggest-user" value="" /></td>
+		<th scope="row"><label for="adduser-email"><?php echo esc_html( $label ); ?></label></th>
+		<td><input name="email" type="<?php echo esc_attr( $type ); ?>" id="adduser-email" class="wp-suggest-user" value="" /></td>
 	</tr>
 	<tr class="form-field">
 		<th scope="row"><label for="adduser-role"><?php _e( 'Role' ); ?></label></th>
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.2-alpha-54856';
+$wp_version = '6.2-alpha-54857';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.