From da3f89485af7cec666d1d294c10ccdfa6af88e5a Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Tue, 30 Aug 2022 15:15:09 +0000 Subject: [PATCH] Posts, Post Types: Escape output within `the_meta()`. Convert markup to entities when displaying on the front end. Deprecates `the_meta()` in favor of `get_post_meta()`. Props tykoted, martinkrcho, xknown, dd32, peterwilsoncc, paulkevan, timothyblynjacobs. Built from https://develop.svn.wordpress.org/trunk@53958 git-svn-id: http://core.svn.wordpress.org/trunk@53517 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/post-template.php | 7 ++++--- wp-includes/version.php | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php index 15d2777191..9f12a2aefb 100644 --- a/wp-includes/post-template.php +++ b/wp-includes/post-template.php @@ -1090,9 +1090,10 @@ function post_custom( $key = '' ) { * * @since 1.2.0 * - * @internal This will probably change at some point... + * @deprecated 6.0.2 Use get_post_meta() to retrieve post meta and render manually. */ function the_meta() { + _deprecated_function( __FUNCTION__, '6.0.2', 'get_post_meta()' ); $keys = get_post_custom_keys(); if ( $keys ) { $li_html = ''; @@ -1108,8 +1109,8 @@ function the_meta() { $html = sprintf( "
  • %s %s
    • \n", /* translators: %s: Post custom field name. */ - sprintf( _x( '%s:', 'Post custom field name' ), $key ), - $value + esc_html( sprintf( _x( '%s:', 'Post custom field name' ), $key ) ), + esc_html( $value ) ); /** diff --git a/wp-includes/version.php b/wp-includes/version.php index 10cd00f425..8e9bee69cd 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.1-alpha-53957'; +$wp_version = '6.1-alpha-53958'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.