Escape remotely supplied data just to be safe. (#8477)

Automattic · Jan 8, 2018 · 700dd14 · 700dd14
1 parent bbda3f9
commit 700dd14
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/modules/search/class.jetpack-search.php b/modules/search/class.jetpack-search.php
@@ -114,7 +114,12 @@ public function store_query_failure( $meta ) {
 
 	public function print_query_failure() {
 		if ( $this->last_query_failure_info ) {
-			echo '<!-- Jetpack Search failed with code ' . $this->last_query_failure_info['response_code'] . ': ' . $this->last_query_failure_info['json']['error'] . ' - ' . $this->last_query_failure_info['json']['message'] . ' -->';
+			printf(
+				'<!-- Jetpack Search failed with code %s: %s - %s -->',
+				esc_html( $this->last_query_failure_info['response_code'] ),
+				esc_html( $this->last_query_failure_info['json']['error'] ),
+				esc_html( $this->last_query_failure_info['json']['message'] )
+			);
 		}
 	}
 
@@ -125,7 +130,11 @@ public function store_query_success( $meta ) {
 
 	public function print_query_success() {
 		if ( $this->last_query_info ) {
-			echo '<!-- Jetpack Search took ' . intval( $this->last_query_info['elapsed_time'] ) . ' ms, ES time ' . $this->last_query_info['es_time'] . ' ms -->';
+			printf(
+				'<!-- Jetpack Search took %s ms, ES time %s ms -->',
+				intval( $this->last_query_info['elapsed_time'] ),
+				esc_html( $this->last_query_info['es_time'] )
+			);
 		}
 	}