Ticket #38073: 38073.3.patch

src/wp-admin/comment.php

@@ -16 +16 @@
  * @global string $action
  */
 global $action;
-wp_reset_vars( array('action') );
+
+if ( isset( $_REQUEST['action'] ) ) {
+        $action = sanitize_text_field( $_REQUEST['action'] );
+}
 
 if ( isset( $_POST['deletecomment'] ) )
         $action = 'deletecomment';

src/wp-admin/customize.php

@@ -44 +44 @@
         }
 }
 
+if ( isset( $_REQUEST['url'] ) ) {
+        $url = sanitize_text_field( $_REQUEST['url'] );
+}
+
+if ( isset( $_REQUEST['return'] ) ) {
+        $return = sanitize_text_field( $_REQUEST['return'] );
+}
+
+if ( isset( $_REQUEST['autofocus'] ) ) {
+        $autofocus = sanitize_text_field( $_REQUEST['autofocus'] );
+}
 
-wp_reset_vars( array( 'url', 'return', 'autofocus' ) );
 if ( ! empty( $url ) ) {
         $wp_customize->set_preview_url( wp_unslash( $url ) );
 }

src/wp-admin/edit-tag-form.php

@@ -44 +44 @@
         do_action( 'edit_tag_form_pre', $tag );
 }
 
-/**
- * Use with caution, see https://codex.wordpress.org/Function_Reference/wp_reset_vars
- */
-wp_reset_vars( array( 'wp_http_referer' ) );
+if ( isset( $_REQUEST['wp_http_referer'] ) ) {
+        $wp_http_referer = sanitize_text_field( $_REQUEST['wp_http_referer'] );
+}
 
 $wp_http_referer = remove_query_arg( array( 'action', 'message', 'tag_ID' ), $wp_http_referer );
 

src/wp-admin/includes/class-wp-links-list-table.php

@@ -51 +51 @@
         public function prepare_items() {
                 global $cat_id, $s, $orderby, $order;
 
-                wp_reset_vars( array( 'action', 'cat_id', 'link_id', 'orderby', 'order', 's' ) );
+                if ( isset( $_REQUEST['action'] ) ) {
+                        $action = sanitize_text_field( $_REQUEST['action'] );
+                }
+
+                if ( isset( $_REQUEST['cat_id'] ) ) {
+                        $cat_id = sanitize_text_field( $_REQUEST['cat_id'] );
+                }
+
+                if ( isset( $_REQUEST['link_id'] ) ) {
+                        $link_id = sanitize_text_field( $_REQUEST['link_id'] );
+                }
+
+                if ( isset( $_REQUEST['orderby'] ) ) {
+                        $orderby = sanitize_text_field( $_REQUEST['orderby'] );
+                }
+
+                if ( isset( $_REQUEST['order'] ) ) {
+                        $order = sanitize_text_field( $_REQUEST['order'] );
+                }
+
+                if ( isset( $_REQUEST['s'] ) ) {
+                        $s = sanitize_text_field( $_REQUEST['s'] );
+                }
 
                 $args = array( 'hide_invisible' => 0, 'hide_empty' => 0 );
 

src/wp-admin/includes/class-wp-ms-themes-list-table.php

@@ -86 +86 @@
         public function prepare_items() {
                 global $status, $totals, $page, $orderby, $order, $s;
 
-                wp_reset_vars( array( 'orderby', 'order', 's' ) );
+                if ( isset( $_REQUEST['orderby'] ) ) {
+                        $orderby = sanitize_text_field( $_REQUEST['orderby'] );
+                }
+
+                if ( isset( $_REQUEST['order'] ) ) {
+                        $order = sanitize_text_field( $_REQUEST['order'] );
+                }
+
+                if ( isset( $_REQUEST['s'] ) ) {
+                        $s = sanitize_text_field( $_REQUEST['s'] );
+                }
 
                 $themes = array(
                         /**

src/wp-admin/includes/class-wp-plugin-install-list-table.php

@@ -74 +74 @@
 
                 global $tabs, $tab, $paged, $type, $term;
 
-                wp_reset_vars( array( 'tab' ) );
+                if ( isset( $_REQUEST['tab'] ) ) {
+                        $tab = sanitize_text_field( $_REQUEST['tab'] );
+                }
 
                 $paged = $this->get_pagenum();
 

src/wp-admin/includes/class-wp-plugins-list-table.php

@@ -74 +74 @@
         public function prepare_items() {
                 global $status, $plugins, $totals, $page, $orderby, $order, $s;
 
-                wp_reset_vars( array( 'orderby', 'order' ) );
+                if ( isset( $_REQUEST['orderby'] ) ) {
+                        $orderby = sanitize_text_field( $_REQUEST['orderby'] );
+                }
+
+                if ( isset( $_REQUEST['order'] ) ) {
+                        $order = sanitize_text_field( $_REQUEST['order'] );
+                }
 
                 /**
                  * Filters the full array of plugins to list in the Plugins list table.

src/wp-admin/includes/class-wp-theme-install-list-table.php

@@ -39 +39 @@
                 include( ABSPATH . 'wp-admin/includes/theme-install.php' );
 
                 global $tabs, $tab, $paged, $type, $theme_field_defaults;
-                wp_reset_vars( array( 'tab' ) );
+
+                if ( isset( $_REQUEST['tab'] ) ) {
+                        $tab = sanitize_text_field( $_REQUEST['tab'] );
+                }
 
                 $search_terms = array();
                 $search_string = '';

src/wp-admin/includes/misc.php

@@ -299 +299 @@
  * @since 2.0.0
  *
  * @param array $vars An array of globals to reset.
+ *
+ * @deprecated in WordPress 4.9 and will be removed before WordPress 5.0.
+ *   Use sanitize_text_field().
  */
 function wp_reset_vars( $vars ) {
         foreach ( $vars as $var ) {

src/wp-admin/link-add.php

@@ -15 +15 @@
 $title = __('Add New Link');
 $parent_file = 'link-manager.php';
 
-wp_reset_vars( array('action', 'cat_id', 'link_id' ) );
+if ( isset( $_REQUEST['action'] ) ) {
+        $action = sanitize_text_field( $_REQUEST['action'] );
+}
+
+if ( isset( $_REQUEST['cat_id'] ) ) {
+        $cat_id = sanitize_text_field( $_REQUEST['cat_id'] );
+}
+
+if ( isset( $_REQUEST['link_id'] ) ) {
+        $link_id = sanitize_text_field( $_REQUEST['link_id'] );
+}
 
 wp_enqueue_script('link');
 wp_enqueue_script('xfn');

src/wp-admin/link.php

@@ -12 +12 @@
 /** Load WordPress Administration Bootstrap */
 require_once( dirname( __FILE__ ) . '/admin.php' );
 
-wp_reset_vars( array( 'action', 'cat_id', 'link_id' ) );
+if ( isset( $_REQUEST['action'] ) ) {
+        $action = sanitize_text_field( $_REQUEST['action'] );
+}
+
+if ( isset( $_REQUEST['cat_id'] ) ) {
+        $cat_id = sanitize_text_field( $_REQUEST['cat_id'] );
+}
+
+if ( isset( $_REQUEST['link_id'] ) ) {
+        $link_id = sanitize_text_field( $_REQUEST['link_id'] );
+}
 
 if ( ! current_user_can('manage_links') )
         wp_link_manager_disabled_message();

src/wp-admin/media.php

@@ -12 +12 @@
 $parent_file = 'upload.php';
 $submenu_file = 'upload.php';
 
-wp_reset_vars(array('action'));
+if ( isset( $_REQUEST['action'] ) ) {
+        $action = sanitize_text_field( $_REQUEST['action'] );
+}
 
 switch ( $action ) {
 case 'editattachment' :

src/wp-admin/options-head.php

@@ -8 +8 @@
  * @subpackage Administration
  */
 
-wp_reset_vars( array( 'action' ) );
+if ( isset( $_REQUEST['action'] ) ) {
+        $action = sanitize_text_field( $_REQUEST['action'] );
+}
 
 if ( isset( $_GET['updated'] ) && isset( $_GET['page'] ) ) {
         // For back-compat with plugins that don't use the Settings API and just set updated=1 in the redirect.

src/wp-admin/options.php

@@ -22 +22 @@
 $this_file = 'options.php';
 $parent_file = 'options-general.php';
 
-wp_reset_vars(array('action', 'option_page'));
+if ( isset( $_REQUEST['action'] ) ) {
+        $action = sanitize_text_field( $_REQUEST['action'] );
+}
+
+if ( isset( $_REQUEST['option_page'] ) ) {
+        $option_page = sanitize_text_field( $_REQUEST['option_page'] );
+}
 
 $capability = 'manage_options';
 

src/wp-admin/post.php

@@ -14 +14 @@
 $parent_file = 'edit.php';
 $submenu_file = 'edit.php';
 
-wp_reset_vars( array( 'action' ) );
+if ( isset( $_REQUEST['action'] ) ) {
+        $action = sanitize_text_field( $_REQUEST['action'] );
+}
 
 if ( isset( $_GET['post'] ) )
         $post_id = $post_ID = (int) $_GET['post'];

src/wp-admin/revision.php

@@ -20 +20 @@
 
 require ABSPATH . 'wp-admin/includes/revision.php';
 
-wp_reset_vars( array( 'revision', 'action', 'from', 'to' ) );
+if ( isset( $_REQUEST['revision'] ) ) {
+        $revision = sanitize_text_field( $_REQUEST['revision'] );
+}
+
+if ( isset( $_REQUEST['action'] ) ) {
+        $action = sanitize_text_field( $_REQUEST['action'] );
+}
+
+if ( isset( $_REQUEST['from'] ) ) {
+        $from = sanitize_text_field( $_REQUEST['from'] );
+}
+
+if ( isset( $_REQUEST['to'] ) ) {
+        $to = sanitize_text_field( $_REQUEST['to'] );
+}
 
 $revision_id = absint( $revision );
 

src/wp-admin/theme-editor.php

@@ -43 +43 @@
         '<p>' . __('<a href="https://wordpress.org/support/">Support Forums</a>') . '</p>'
 );
 
-wp_reset_vars( array( 'action', 'error', 'file', 'theme' ) );
+if ( isset( $_REQUEST['action'] ) ) {
+        $action = sanitize_text_field( $_REQUEST['action'] );
+}
+
+if ( isset( $_REQUEST['error'] ) ) {
+        $error = sanitize_text_field( $_REQUEST['error'] );
+}
+
+if ( isset( $_REQUEST['file'] ) ) {
+        $file = sanitize_text_field( $_REQUEST['file'] );
+}
+
+if ( isset( $_REQUEST['theme'] ) ) {
+        $theme = sanitize_text_field( $_REQUEST['theme'] );
+}
 
 if ( $theme ) {
         $stylesheet = $theme;

src/wp-admin/theme-install.php

@@ -10 +10 @@
 require_once( dirname( __FILE__ ) . '/admin.php' );
 require( ABSPATH . 'wp-admin/includes/theme-install.php' );
 
-wp_reset_vars( array( 'tab' ) );
+if ( isset( $_REQUEST['tab'] ) ) {
+        $tab = sanitize_text_field( $_REQUEST['tab'] );
+}
 
 if ( ! current_user_can('install_themes') )
         wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) );

src/wp-admin/themes.php

@@ -124 +124 @@
 } else {
         $themes = wp_prepare_themes_for_js( array( wp_get_theme() ) );
 }
-wp_reset_vars( array( 'theme', 'search' ) );
+
+if ( isset( $_REQUEST['theme'] ) ) {
+        $theme = sanitize_text_field( $_REQUEST['theme'] );
+}
+
+if ( isset( $_REQUEST['search'] ) ) {
+        $search = sanitize_text_field( $_REQUEST['search'] );
+}
 
 wp_localize_script( 'theme', '_wpThemeSettings', array(
         'themes'   => $themes,

src/wp-admin/user-edit.php

@@ -9 +9 @@
 /** WordPress Administration Bootstrap */
 require_once( dirname( __FILE__ ) . '/admin.php' );
 
-wp_reset_vars( array( 'action', 'user_id', 'wp_http_referer' ) );
+if ( isset( $_REQUEST['action'] ) ) {
+        $action = sanitize_text_field( $_REQUEST['action'] );
+}
+
+if ( isset( $_REQUEST['user_id'] ) ) {
+        $user_id = sanitize_text_field( $_REQUEST['user_id'] );
+}
+
+if ( isset( $_REQUEST['wp_http_referer'] ) ) {
+        $wp_http_referer = sanitize_text_field( $_REQUEST['wp_http_referer'] );
+}
 
 $user_id = (int) $user_id;
 $current_user = wp_get_current_user();