Ensure post titles are correctly escaped on the Dashboard.

Props helen, ocean90, dd32, pento. Built from https://develop.svn.wordpress.org/trunk@32175 git-svn-id: http://core.svn.wordpress.org/trunk@32150 1a063a9b-81f0-0310-95a4-ce76da25c4cd
ezos86 · Apr 20, 2015 · e3f1f8f · e3f1f8f
1 parent 2bb5d85
commit e3f1f8f
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 8 deletions.
diff --git a/wp-admin/includes/class-wp-comments-list-table.php b/wp-admin/includes/class-wp-comments-list-table.php
@@ -561,9 +561,9 @@ public function column_response() {
 
 		if ( current_user_can( 'edit_post', $post->ID ) ) {
 			$post_link = "<a href='" . get_edit_post_link( $post->ID ) . "'>";
-			$post_link .= get_the_title( $post->ID ) . '</a>';
+			$post_link .= esc_html( get_the_title( $post->ID ) ) . '</a>';
 		} else {
-			$post_link = get_the_title( $post->ID );
+			$post_link = esc_html( get_the_title( $post->ID ) );
 		}
 
 		echo '<div class="response-links"><span class="post-com-count-wrapper">';

diff --git a/wp-admin/includes/dashboard.php b/wp-admin/includes/dashboard.php
@@ -520,7 +520,7 @@ function wp_dashboard_recent_drafts( $drafts = false ) {
 function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
 	$GLOBALS['comment'] =& $comment;
 
-	$comment_post_title = strip_tags(get_the_title( $comment->comment_post_ID ));
+	$comment_post_title = _draft_or_post_title( $comment->comment_post_ID );
 
 	if ( current_user_can( 'edit_post', $comment->comment_post_ID ) ) {
 		$comment_post_url = get_edit_post_link( $comment->comment_post_ID );

diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php
@@ -1556,7 +1556,7 @@ function _draft_or_post_title( $post = 0 ) {
 	$title = get_the_title( $post );
 	if ( empty( $title ) )
 		$title = __( '(no title)' );
-	return $title;
+	return esc_html( $title );
 }
 
 /**

diff --git a/wp-admin/js/nav-menu.js b/wp-admin/js/nav-menu.js
@@ -463,14 +463,14 @@ var wpNavMenu;
 			if ( ! isPrimaryMenuItem ) {
 				thisLink = menuItem.find( '.menus-move-left' ),
 				thisLinkText = menus.outFrom.replace( '%s', prevItemNameLeft );
-				thisLink.prop( 'title', menus.moveOutFrom.replace( '%s', prevItemNameLeft ) ).html( thisLinkText ).css( 'display', 'inline' );
+				thisLink.prop( 'title', menus.moveOutFrom.replace( '%s', prevItemNameLeft ) ).text( thisLinkText ).css( 'display', 'inline' );
 			}
 
 			if ( 0 !== position ) {
 				if ( menuItem.find( '.menu-item-data-parent-id' ).val() !== menuItem.prev().find( '.menu-item-data-db-id' ).val() ) {
 					thisLink = menuItem.find( '.menus-move-right' ),
 					thisLinkText = menus.under.replace( '%s', prevItemNameRight );
-					thisLink.prop( 'title', menus.moveUnder.replace( '%s', prevItemNameRight ) ).html( thisLinkText ).css( 'display', 'inline' );
+					thisLink.prop( 'title', menus.moveUnder.replace( '%s', prevItemNameRight ) ).text( thisLinkText ).css( 'display', 'inline' );
 				}
 			}
 

diff --git a/wp-admin/js/nav-menu.min.js b/wp-admin/js/nav-menu.min.js
diff --git a/wp-includes/version.php b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.2-RC1-32173';
+$wp_version = '4.2-RC1-32175';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.