WordPress.org

Make WordPress Core

Ticket #38073: 38073.4.diff

File 38073.4.diff, 15.5 KB (added by killua99, 9 months ago)

Refresh latest trunk and moving deprecated function to the right place.

  • src/wp-admin/comment.php

    diff --git a/src/wp-admin/comment.php b/src/wp-admin/comment.php
    index 1d76632a76..390549f3c7 100644
    a b $submenu_file = 'edit-comments.php'; 
    1616 * @global string $action
    1717 */
    1818global $action;
    19 wp_reset_vars( array( 'action' ) );
    2019
     20if ( ! empty( $_REQUEST['action'] ) ) {
     21        $action = sanitize_text_field( $_REQUEST['action'] );
     22}
    2123if ( isset( $_POST['deletecomment'] ) ) {
    2224        $action = 'deletecomment';
    2325}
  • src/wp-admin/customize.php

    diff --git a/src/wp-admin/customize.php b/src/wp-admin/customize.php
    index 2486f90145..2ae9347647 100644
    a b if ( $wp_customize->changeset_post_id() ) { 
    8484        }
    8585}
    8686
     87if ( ! empty( $_REQUEST['url'] ) ) {
     88        $url = sanitize_text_field( $_REQUEST['url'] );
     89}
     90
     91if ( ! empty( $_REQUEST['return'] ) ) {
     92        $return = sanitize_text_field( $_REQUEST['return'] );
     93}
     94
     95if ( ! empty( $_REQUEST['autofocus'] ) ) {
     96        $autofocus = sanitize_text_field( $_REQUEST['autofocus'] );
     97}
    8798
    88 wp_reset_vars( array( 'url', 'return', 'autofocus' ) );
    8999if ( ! empty( $url ) ) {
    90100        $wp_customize->set_preview_url( wp_unslash( $url ) );
    91101}
  • src/wp-admin/edit-tag-form.php

    diff --git a/src/wp-admin/edit-tag-form.php b/src/wp-admin/edit-tag-form.php
    index 3a49692034..5611b5e97b 100644
    a b if ( 'category' == $taxonomy ) { 
    4444        do_action( 'edit_tag_form_pre', $tag );
    4545}
    4646
    47 /**
    48  * Use with caution, see https://codex.wordpress.org/Function_Reference/wp_reset_vars
    49  */
    50 wp_reset_vars( array( 'wp_http_referer' ) );
     47if ( ! empty( $_REQUEST['wp_http_referer'] ) ) {
     48        $wp_http_referer = sanitize_text_field( $_REQUEST['wp_http_referer'] );
     49}
     50
    5151
    5252$wp_http_referer = remove_query_arg( array( 'action', 'message', 'tag_ID' ), $wp_http_referer );
    5353
  • src/wp-admin/includes/class-wp-links-list-table.php

    diff --git a/src/wp-admin/includes/class-wp-links-list-table.php b/src/wp-admin/includes/class-wp-links-list-table.php
    index f3b519613a..60b4710296 100644
    a b class WP_Links_List_Table extends WP_List_Table { 
    5151        public function prepare_items() {
    5252                global $cat_id, $s, $orderby, $order;
    5353
    54                 wp_reset_vars( array( 'action', 'cat_id', 'link_id', 'orderby', 'order', 's' ) );
     54                if ( ! empty( $_REQUEST['action'] ) ) {
     55                        $action = sanitize_text_field( $_REQUEST['action'] );
     56                }
     57
     58                if ( ! empty( $_REQUEST['cat_id'] ) ) {
     59                        $cat_id = sanitize_text_field( $_REQUEST['cat_id'] );
     60                }
     61
     62                if ( ! empty( $_REQUEST['link_id'] ) ) {
     63                        $link_id = sanitize_text_field( $_REQUEST['link_id'] );
     64                }
     65
     66                if ( ! empty( $_REQUEST['orderby'] ) ) {
     67                        $orderby = sanitize_text_field( $_REQUEST['orderby'] );
     68                }
     69
     70                if ( ! empty( $_REQUEST['order'] ) ) {
     71                        $order = sanitize_text_field( $_REQUEST['order'] );
     72                }
     73
     74                if ( ! empty( $_REQUEST['s'] ) ) {
     75                        $s = sanitize_text_field( $_REQUEST['s'] );
     76                }
    5577
    5678                $args = array(
    5779                        'hide_invisible' => 0,
  • src/wp-admin/includes/class-wp-ms-themes-list-table.php

    diff --git a/src/wp-admin/includes/class-wp-ms-themes-list-table.php b/src/wp-admin/includes/class-wp-ms-themes-list-table.php
    index 294f2c82f8..5990f37b7d 100644
    a b class WP_MS_Themes_List_Table extends WP_List_Table { 
    8888        public function prepare_items() {
    8989                global $status, $totals, $page, $orderby, $order, $s;
    9090
    91                 wp_reset_vars( array( 'orderby', 'order', 's' ) );
     91                if ( ! empty( $_REQUEST['orderby'] ) ) {
     92                        $orderby = sanitize_text_field( $_REQUEST['orderby'] );
     93                }
     94
     95                if ( ! empty( $_REQUEST['order'] ) ) {
     96                        $order = sanitize_text_field( $_REQUEST['order'] );
     97                }
     98
     99                if ( ! empty( $_REQUEST['s'] ) ) {
     100                        $s = sanitize_text_field( $_REQUEST['s'] );
     101                }
    92102
    93103                $themes = array(
    94104                        /**
  • src/wp-admin/includes/class-wp-plugin-install-list-table.php

    diff --git a/src/wp-admin/includes/class-wp-plugin-install-list-table.php b/src/wp-admin/includes/class-wp-plugin-install-list-table.php
    index bdba99344a..d3e03e3bc9 100644
    a b class WP_Plugin_Install_List_Table extends WP_List_Table { 
    8989
    9090                global $tabs, $tab, $paged, $type, $term;
    9191
    92                 wp_reset_vars( array( 'tab' ) );
     92                if ( ! empty( $_REQUEST['tab'] ) ) {
     93                        $tab = sanitize_text_field( $_REQUEST['tab'] );
     94                }
    9395
    9496                $paged = $this->get_pagenum();
    9597
  • src/wp-admin/includes/class-wp-plugins-list-table.php

    diff --git a/src/wp-admin/includes/class-wp-plugins-list-table.php b/src/wp-admin/includes/class-wp-plugins-list-table.php
    index cd4e6ea883..0f19edd73f 100644
    a b class WP_Plugins_List_Table extends WP_List_Table { 
    7777        public function prepare_items() {
    7878                global $status, $plugins, $totals, $page, $orderby, $order, $s;
    7979
    80                 wp_reset_vars( array( 'orderby', 'order' ) );
     80                if ( ! empty( $_REQUEST['orderby'] ) ) {
     81                        $orderby = sanitize_text_field( $_REQUEST['orderby'] );
     82                }
     83
     84                if ( ! empty( $_REQUEST['order'] ) ) {
     85                        $order = sanitize_text_field( $_REQUEST['order'] );
     86                }
    8187
    8288                /**
    8389                 * Filters the full array of plugins to list in the Plugins list table.
  • src/wp-admin/includes/class-wp-theme-install-list-table.php

    diff --git a/src/wp-admin/includes/class-wp-theme-install-list-table.php b/src/wp-admin/includes/class-wp-theme-install-list-table.php
    index 475056d8ec..47be64955d 100644
    a b class WP_Theme_Install_List_Table extends WP_Themes_List_Table { 
    3737                include( ABSPATH . 'wp-admin/includes/theme-install.php' );
    3838
    3939                global $tabs, $tab, $paged, $type, $theme_field_defaults;
    40                 wp_reset_vars( array( 'tab' ) );
     40
     41                if ( ! empty( $_REQUEST['tab'] ) ) {
     42                        $tab = sanitize_text_field( $_REQUEST['tab'] );
     43                }
    4144
    4245                $search_terms  = array();
    4346                $search_string = '';
  • src/wp-admin/includes/deprecated.php

    diff --git a/src/wp-admin/includes/deprecated.php b/src/wp-admin/includes/deprecated.php
    index e65fe5a79c..d67322b872 100644
    a b function options_permalink_add_js() { 
    15141514        </script>
    15151515        <?php
    15161516}
     1517
     1518/**
     1519 * Resets global variables based on $_GET and $_POST
     1520 *
     1521 * This function resets global variables based on the names passed
     1522 * in the $vars array to the value of $_POST[$var] or $_GET[$var] or ''
     1523 * if neither is defined.
     1524 *
     1525 * @since 2.0.0
     1526 * @deprecated 5.3.0
     1527 *
     1528 * @param array $vars An array of globals to reset.
     1529 */
     1530function wp_reset_vars( $vars ) {
     1531
     1532        _deprecated_function( __FUNCTION__, '5.3.0' );
     1533
     1534        foreach ( $vars as $var ) {
     1535                if ( empty( $_POST[ $var ] ) ) {
     1536                        if ( empty( $_GET[ $var ] ) ) {
     1537                                $GLOBALS[ $var ] = '';
     1538                        } else {
     1539                                $GLOBALS[ $var ] = $_GET[ $var ];
     1540                        }
     1541                } else {
     1542                        $GLOBALS[ $var ] = $_POST[ $var ];
     1543                }
     1544        }
     1545}
  • src/wp-admin/includes/misc.php

    diff --git a/src/wp-admin/includes/misc.php b/src/wp-admin/includes/misc.php
    index d0dc33b913..8525d51dc6 100644
    a b function update_home_siteurl( $old_value, $value ) { 
    481481        }
    482482}
    483483
    484 
    485 /**
    486  * Resets global variables based on $_GET and $_POST
    487  *
    488  * This function resets global variables based on the names passed
    489  * in the $vars array to the value of $_POST[$var] or $_GET[$var] or ''
    490  * if neither is defined.
    491  *
    492  * @since 2.0.0
    493  *
    494  * @param array $vars An array of globals to reset.
    495  */
    496 function wp_reset_vars( $vars ) {
    497         foreach ( $vars as $var ) {
    498                 if ( empty( $_POST[ $var ] ) ) {
    499                         if ( empty( $_GET[ $var ] ) ) {
    500                                 $GLOBALS[ $var ] = '';
    501                         } else {
    502                                 $GLOBALS[ $var ] = $_GET[ $var ];
    503                         }
    504                 } else {
    505                         $GLOBALS[ $var ] = $_POST[ $var ];
    506                 }
    507         }
    508 }
    509 
    510484/**
    511485 * Displays the given administration message.
    512486 *
  • src/wp-admin/link-add.php

    diff --git a/src/wp-admin/link-add.php b/src/wp-admin/link-add.php
    index ff617d5777..7bc0cb788b 100644
    a b if ( ! current_user_can( 'manage_links' ) ) { 
    1616$title       = __( 'Add New Link' );
    1717$parent_file = 'link-manager.php';
    1818
    19 wp_reset_vars( array( 'action', 'cat_id', 'link_id' ) );
     19if ( ! empty( $_REQUEST['action'] ) ) {
     20        $action = sanitize_text_field( $_REQUEST['action'] );
     21}
     22
     23if ( ! empty( $_REQUEST['cat_id'] ) ) {
     24        $cat_id = sanitize_text_field( $_REQUEST['cat_id'] );
     25}
     26
     27if ( ! empty( $_REQUEST['link_id'] ) ) {
     28        $link_id = absint( $_REQUEST['link_id'] );
     29}
    2030
    2131wp_enqueue_script( 'link' );
    2232wp_enqueue_script( 'xfn' );
  • src/wp-admin/link.php

    diff --git a/src/wp-admin/link.php b/src/wp-admin/link.php
    index ed293bc80b..5accfeba15 100644
    a b  
    1212/** Load WordPress Administration Bootstrap */
    1313require_once( dirname( __FILE__ ) . '/admin.php' );
    1414
    15 wp_reset_vars( array( 'action', 'cat_id', 'link_id' ) );
     15if ( ! empty( $_REQUEST['action'] ) ) {
     16        $action = sanitize_text_field( $_REQUEST['action'] );
     17}
     18
     19if ( ! empty( $_REQUEST['cat_id'] ) ) {
     20        $cat_id = sanitize_text_field( $_REQUEST['cat_id'] );
     21}
     22
     23if ( ! empty( $_REQUEST['link_id'] ) ) {
     24        $link_id = absint( $_REQUEST['link_id'] );
     25}
    1626
    1727if ( ! current_user_can( 'manage_links' ) ) {
    1828        wp_link_manager_disabled_message();
  • src/wp-admin/media.php

    diff --git a/src/wp-admin/media.php b/src/wp-admin/media.php
    index 40619ea62e..6929cc339d 100644
    a b require_once( dirname( __FILE__ ) . '/admin.php' ); 
    1212$parent_file  = 'upload.php';
    1313$submenu_file = 'upload.php';
    1414
    15 wp_reset_vars( array( 'action' ) );
     15if ( ! empty( $_REQUEST['action'] ) ) {
     16        $action = sanitize_text_field( $_REQUEST['action'] );
     17}
    1618
    1719switch ( $action ) {
    1820        case 'editattachment':
  • src/wp-admin/options-head.php

    diff --git a/src/wp-admin/options-head.php b/src/wp-admin/options-head.php
    index a0e3a3307c..647c60927f 100644
    a b  
    88 * @subpackage Administration
    99 */
    1010
    11 wp_reset_vars( array( 'action' ) );
     11if ( ! empty( $_REQUEST['action'] ) ) {
     12        $action = sanitize_text_field( $_REQUEST['action'] );
     13}
    1214
    1315if ( isset( $_GET['updated'] ) && isset( $_GET['page'] ) ) {
    1416        // For back-compat with plugins that don't use the Settings API and just set updated=1 in the redirect.
  • src/wp-admin/options.php

    diff --git a/src/wp-admin/options.php b/src/wp-admin/options.php
    index 3bf95c1810..c4dbe3c3df 100644
    a b $title = __( 'Settings' ); 
    2222$this_file   = 'options.php';
    2323$parent_file = 'options-general.php';
    2424
    25 wp_reset_vars( array( 'action', 'option_page' ) );
     25if ( ! empty( $_REQUEST['action'] ) ) {
     26        $action = sanitize_text_field( $_REQUEST['action'] );
     27}
     28
     29if ( ! empty( $_REQUEST['option_page'] ) ) {
     30        $cat_id = sanitize_text_field( $_REQUEST['option_page'] );
     31}
    2632
    2733$capability = 'manage_options';
    2834
  • src/wp-admin/post.php

    diff --git a/src/wp-admin/post.php b/src/wp-admin/post.php
    index 22624dfce2..00586103d5 100644
    a b require_once( dirname( __FILE__ ) . '/admin.php' ); 
    1414$parent_file  = 'edit.php';
    1515$submenu_file = 'edit.php';
    1616
    17 wp_reset_vars( array( 'action' ) );
     17if ( ! empty( $_REQUEST['action'] ) ) {
     18        $action = sanitize_text_field( $_REQUEST['action'] );
     19}
    1820
    1921if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) {
    2022        wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 );
  • src/wp-admin/revision.php

    diff --git a/src/wp-admin/revision.php b/src/wp-admin/revision.php
    index 3e72c86dcd..85ab45e10c 100644
    a b require ABSPATH . 'wp-admin/includes/revision.php'; 
    2121 * @global int    $from     The revision to compare from.
    2222 * @global int    $to       Optional, required if revision missing. The revision to compare to.
    2323 */
    24 wp_reset_vars( array( 'revision', 'action', 'from', 'to' ) );
     24if ( ! empty( $_REQUEST['revision'] ) ) {
     25        $revision_id = absint( $_REQUEST['revision'] );
     26}
    2527
    26 $revision_id = absint( $revision );
     28if ( ! empty( $_REQUEST['action'] ) ) {
     29        $action = sanitize_text_field( $_REQUEST['action'] );
     30}
    2731
    28 $from = is_numeric( $from ) ? absint( $from ) : null;
    29 if ( ! $revision_id ) {
    30         $revision_id = absint( $to );
     32if ( ! empty( $_REQUEST['from'] ) ) {
     33        $from = is_numeric( $_REQUEST['from'] ) ? absint( $_REQUEST['from'] ) : null;
    3134}
     35
     36if ( ! empty( $_REQUEST['to'] ) && ! $revision_id ) {
     37        $revision_id = absint( $_REQUEST['to'] );
     38}
     39
    3240$redirect = 'edit.php';
    3341
    3442switch ( $action ) {
  • src/wp-admin/theme-editor.php

    diff --git a/src/wp-admin/theme-editor.php b/src/wp-admin/theme-editor.php
    index bf3dcd0677..a17906fba8 100644
    a b get_current_screen()->set_help_sidebar( 
    5252        '<p>' . __( '<a href="https://wordpress.org/support/">Support Forums</a>' ) . '</p>'
    5353);
    5454
    55 wp_reset_vars( array( 'action', 'error', 'file', 'theme' ) );
     55if ( ! empty( $_REQUEST['action'] ) ) {
     56        $action = sanitize_text_field( $_REQUEST );
     57}
     58
     59if ( ! empty( $_REQUEST['error'] ) ) {
     60        $error = true;
     61}
     62
     63if ( ! empty( $_REQUEST['theme'] ) ) {
     64        $theme = sanitize_text_field( $_REQUEST['theme'] );
     65}
     66
     67if ( ! empty( $_REQUEST['file'] ) ) {
     68        $file = sanitize_text_field( $_REQUEST['file'] );
     69}
    5670
    5771if ( $theme ) {
    5872        $stylesheet = $theme;
    if ( 'POST' === $_SERVER['REQUEST_METHOD'] ) { 
    172186        }
    173187
    174188        $file_description = get_file_description( $relative_file );
    175         $file_show        = array_search( $file, array_filter( $allowed_files ) );
     189        $file_show        = arraysearch( $file, array_filter( $allowed_files ) );
    176190        $description      = esc_html( $file_description );
    177191        if ( $file_description != $file_show ) {
    178192                $description .= ' <span>(' . esc_html( $file_show ) . ')</span>';
  • src/wp-admin/theme-install.php

    diff --git a/src/wp-admin/theme-install.php b/src/wp-admin/theme-install.php
    index e0fa5cf230..031b0c843a 100644
    a b  
    1010require_once( dirname( __FILE__ ) . '/admin.php' );
    1111require( ABSPATH . 'wp-admin/includes/theme-install.php' );
    1212
    13 wp_reset_vars( array( 'tab' ) );
     13if ( ! empty( $_REQUEST['tab'] ) ) {
     14        $tab = sanitize_text_field( $_REQUEST['tab'] );
     15}
    1416
    1517if ( ! current_user_can( 'install_themes' ) ) {
    1618        wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) );
  • src/wp-admin/themes.php

    diff --git a/src/wp-admin/themes.php b/src/wp-admin/themes.php
    index 7b0d3b2022..480e750a90 100644
    a b if ( current_user_can( 'switch_themes' ) ) { 
    150150} else {
    151151        $themes = wp_prepare_themes_for_js( array( wp_get_theme() ) );
    152152}
    153 wp_reset_vars( array( 'theme', 'search' ) );
     153
     154if ( ! empty( $_REQUEST['theme'] ) ) {
     155        $theme = sanitize_text_field( $_REQUEST['theme'] );
     156}
     157
     158if ( ! empty( $_REQUEST['search'] ) ) {
     159        $search = sanitize_text_field( $_REQUEST['search'] );
     160}
    154161
    155162wp_localize_script(
    156163        'theme',
  • src/wp-admin/user-edit.php

    diff --git a/src/wp-admin/user-edit.php b/src/wp-admin/user-edit.php
    index ccc0a40010..85044a0f56 100644
    a b  
    99/** WordPress Administration Bootstrap */
    1010require_once( dirname( __FILE__ ) . '/admin.php' );
    1111
    12 wp_reset_vars( array( 'action', 'user_id', 'wp_http_referer' ) );
     12if ( ! empty( $_REQUEST['action'] ) ) {
     13        $action = sanitize_text_field( $_REQUEST['action'] );
     14}
     15
     16if ( ! empty( $_REQUEST['user_id'] ) ) {
     17        $user_id = absint( $_REQUEST['user_id'] );
     18}
     19
     20if ( ! empty( $_REQUEST['wp_http_referer'] ) ) {
     21        $wp_http_referer = sanitize_text_field( $_REQUEST['wp_http_referer'] );
     22}
    1323
    14 $user_id      = (int) $user_id;
    1524$current_user = wp_get_current_user();
    1625if ( ! defined( 'IS_PROFILE_PAGE' ) ) {
    1726        define( 'IS_PROFILE_PAGE', ( $user_id == $current_user->ID ) );