get_template_part() should let you specify a directory
|Reported by:||aaroncampbell||Owned by:||westi|
|Severity:||normal||Keywords:||has-patch westi-likes needs-unit-tests 2nd-opinion|
|Cc:||me@…, sorich87@…, aaroncampbell, gruvii, Ken@…, kwight@…, eddie.moya+wptrac@…, xoodrew@…, MZAWeb, wordpress@…, navjotjsingh@…, sethmatics, ben@…, dromsey@…, kovshenin, retlehs|
IT would be nice for get_template_part() to allow you to specify a directory to look for a file in. Right now you actually *can* do this, but it requires passing a 'slug' to the function like directory/slug. Since everywhere else in the code slugs are sanitized, this seems like an unexpected way to allow this functionality (I didn't realize this worked until @nacin pointed it out). Since this slug isn't actually sanitized at all, you can currently do get_template_part( '../../../test' ); which seems rather unsafe (get_template_part should be able to include from outside the themes directory).
I suggest sanitizing $slug and adding a third [optional] parameter that allows you to specify the directory to look in. The directory parameter should be sanitized enough to not allow it to start with a . or a / (although this more likely belongs in locate_template() as something done to $template_name inside the foreach).
What does everyone think about this approach?
How many themes do we think are currently using the $slug parameter to specify a directory?
Right now the optional $name parameter is set up as a fall through, so if $slug-$name.php doesn't exist $slug.php is used. Should $directory be set up similarly ($directory/$slug-$name.php -> $directory/$slug.php -> $slug-$name.php -> $slug.php)?
Change History (61)
- Keywords needs-patch added; dev-feedback removed
- Milestone changed from Awaiting Review to 3.1
- Type changed from enhancement to defect (bug)
- Keywords 3.2-early added
- Milestone changed from 3.1 to Future Release
- Type changed from defect (bug) to enhancement
- Keywords 3.3-early westi-likes needs-unit-tests added; dev-feedback removed
- Owner set to westi
- Status changed from new to accepted