Administration: Add missing escaping for CSS classes on the body tag in the admin.

SergeyBiryukov · SergeyBiryukov · commit 3c6184d81cb0 · 2023-05-22T14:14:10.000Z
Follow-up to [5892], [10823], [10868], [18882], [21014], [22000], [48060]. Propos rafiem, costdev, dd32, audrasjb, westonruter, SergeyBiryukov. Fixes #58336. git-svn-id: https://develop.svn.wordpress.org/trunk@55846 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-admin/admin-header.php b/src/wp-admin/admin-header.php
@@ -242,7 +242,7 @@
 $admin_body_classes = apply_filters( 'admin_body_class', '' );
 $admin_body_classes = ltrim( $admin_body_classes . ' ' . $admin_body_class );
 ?>
-<body class="wp-admin wp-core-ui no-js <?php echo $admin_body_classes; ?>">
+<body class="wp-admin wp-core-ui no-js <?php echo esc_attr( $admin_body_classes ); ?>">
 <script type="text/javascript">
 	document.body.className = document.body.className.replace('no-js','js');
 </script>
diff --git a/src/wp-admin/includes/template.php b/src/wp-admin/includes/template.php
@@ -2178,7 +2178,7 @@ function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_r
 	$admin_body_classes = apply_filters( 'admin_body_class', '' );
 	$admin_body_classes = ltrim( $admin_body_classes . ' ' . $admin_body_class );
 	?>
-<body <?php echo $admin_body_id; ?>class="wp-admin wp-core-ui no-js iframe <?php echo $admin_body_classes; ?>">
+<body <?php echo $admin_body_id; ?>class="wp-admin wp-core-ui no-js iframe <?php echo esc_attr( $admin_body_classes ); ?>">
 <script type="text/javascript">
 (function(){
 var c = document.body.className;
