-
diff --git a/src/wp-admin/comment.php b/src/wp-admin/comment.php
index 1d76632a76..390549f3c7 100644
a
|
b
|
$submenu_file = 'edit-comments.php'; |
16 | 16 | * @global string $action |
17 | 17 | */ |
18 | 18 | global $action; |
19 | | wp_reset_vars( array( 'action' ) ); |
20 | 19 | |
| 20 | if ( ! empty( $_REQUEST['action'] ) ) { |
| 21 | $action = sanitize_text_field( $_REQUEST['action'] ); |
| 22 | } |
21 | 23 | if ( isset( $_POST['deletecomment'] ) ) { |
22 | 24 | $action = 'deletecomment'; |
23 | 25 | } |
-
diff --git a/src/wp-admin/customize.php b/src/wp-admin/customize.php
index 2486f90145..2ae9347647 100644
a
|
b
|
if ( $wp_customize->changeset_post_id() ) { |
84 | 84 | } |
85 | 85 | } |
86 | 86 | |
| 87 | if ( ! empty( $_REQUEST['url'] ) ) { |
| 88 | $url = sanitize_text_field( $_REQUEST['url'] ); |
| 89 | } |
| 90 | |
| 91 | if ( ! empty( $_REQUEST['return'] ) ) { |
| 92 | $return = sanitize_text_field( $_REQUEST['return'] ); |
| 93 | } |
| 94 | |
| 95 | if ( ! empty( $_REQUEST['autofocus'] ) ) { |
| 96 | $autofocus = sanitize_text_field( $_REQUEST['autofocus'] ); |
| 97 | } |
87 | 98 | |
88 | | wp_reset_vars( array( 'url', 'return', 'autofocus' ) ); |
89 | 99 | if ( ! empty( $url ) ) { |
90 | 100 | $wp_customize->set_preview_url( wp_unslash( $url ) ); |
91 | 101 | } |
-
diff --git a/src/wp-admin/edit-tag-form.php b/src/wp-admin/edit-tag-form.php
index 3a49692034..5611b5e97b 100644
a
|
b
|
if ( 'category' == $taxonomy ) { |
44 | 44 | do_action( 'edit_tag_form_pre', $tag ); |
45 | 45 | } |
46 | 46 | |
47 | | /** |
48 | | * Use with caution, see https://codex.wordpress.org/Function_Reference/wp_reset_vars |
49 | | */ |
50 | | wp_reset_vars( array( 'wp_http_referer' ) ); |
| 47 | if ( ! empty( $_REQUEST['wp_http_referer'] ) ) { |
| 48 | $wp_http_referer = sanitize_text_field( $_REQUEST['wp_http_referer'] ); |
| 49 | } |
| 50 | |
51 | 51 | |
52 | 52 | $wp_http_referer = remove_query_arg( array( 'action', 'message', 'tag_ID' ), $wp_http_referer ); |
53 | 53 | |
-
diff --git a/src/wp-admin/includes/class-wp-links-list-table.php b/src/wp-admin/includes/class-wp-links-list-table.php
index f3b519613a..60b4710296 100644
a
|
b
|
class WP_Links_List_Table extends WP_List_Table { |
51 | 51 | public function prepare_items() { |
52 | 52 | global $cat_id, $s, $orderby, $order; |
53 | 53 | |
54 | | wp_reset_vars( array( 'action', 'cat_id', 'link_id', 'orderby', 'order', 's' ) ); |
| 54 | if ( ! empty( $_REQUEST['action'] ) ) { |
| 55 | $action = sanitize_text_field( $_REQUEST['action'] ); |
| 56 | } |
| 57 | |
| 58 | if ( ! empty( $_REQUEST['cat_id'] ) ) { |
| 59 | $cat_id = sanitize_text_field( $_REQUEST['cat_id'] ); |
| 60 | } |
| 61 | |
| 62 | if ( ! empty( $_REQUEST['link_id'] ) ) { |
| 63 | $link_id = sanitize_text_field( $_REQUEST['link_id'] ); |
| 64 | } |
| 65 | |
| 66 | if ( ! empty( $_REQUEST['orderby'] ) ) { |
| 67 | $orderby = sanitize_text_field( $_REQUEST['orderby'] ); |
| 68 | } |
| 69 | |
| 70 | if ( ! empty( $_REQUEST['order'] ) ) { |
| 71 | $order = sanitize_text_field( $_REQUEST['order'] ); |
| 72 | } |
| 73 | |
| 74 | if ( ! empty( $_REQUEST['s'] ) ) { |
| 75 | $s = sanitize_text_field( $_REQUEST['s'] ); |
| 76 | } |
55 | 77 | |
56 | 78 | $args = array( |
57 | 79 | 'hide_invisible' => 0, |
-
diff --git a/src/wp-admin/includes/class-wp-ms-themes-list-table.php b/src/wp-admin/includes/class-wp-ms-themes-list-table.php
index 294f2c82f8..5990f37b7d 100644
a
|
b
|
class WP_MS_Themes_List_Table extends WP_List_Table { |
88 | 88 | public function prepare_items() { |
89 | 89 | global $status, $totals, $page, $orderby, $order, $s; |
90 | 90 | |
91 | | wp_reset_vars( array( 'orderby', 'order', 's' ) ); |
| 91 | if ( ! empty( $_REQUEST['orderby'] ) ) { |
| 92 | $orderby = sanitize_text_field( $_REQUEST['orderby'] ); |
| 93 | } |
| 94 | |
| 95 | if ( ! empty( $_REQUEST['order'] ) ) { |
| 96 | $order = sanitize_text_field( $_REQUEST['order'] ); |
| 97 | } |
| 98 | |
| 99 | if ( ! empty( $_REQUEST['s'] ) ) { |
| 100 | $s = sanitize_text_field( $_REQUEST['s'] ); |
| 101 | } |
92 | 102 | |
93 | 103 | $themes = array( |
94 | 104 | /** |
-
diff --git a/src/wp-admin/includes/class-wp-plugin-install-list-table.php b/src/wp-admin/includes/class-wp-plugin-install-list-table.php
index bdba99344a..d3e03e3bc9 100644
a
|
b
|
class WP_Plugin_Install_List_Table extends WP_List_Table { |
89 | 89 | |
90 | 90 | global $tabs, $tab, $paged, $type, $term; |
91 | 91 | |
92 | | wp_reset_vars( array( 'tab' ) ); |
| 92 | if ( ! empty( $_REQUEST['tab'] ) ) { |
| 93 | $tab = sanitize_text_field( $_REQUEST['tab'] ); |
| 94 | } |
93 | 95 | |
94 | 96 | $paged = $this->get_pagenum(); |
95 | 97 | |
-
diff --git a/src/wp-admin/includes/class-wp-plugins-list-table.php b/src/wp-admin/includes/class-wp-plugins-list-table.php
index cd4e6ea883..0f19edd73f 100644
a
|
b
|
class WP_Plugins_List_Table extends WP_List_Table { |
77 | 77 | public function prepare_items() { |
78 | 78 | global $status, $plugins, $totals, $page, $orderby, $order, $s; |
79 | 79 | |
80 | | wp_reset_vars( array( 'orderby', 'order' ) ); |
| 80 | if ( ! empty( $_REQUEST['orderby'] ) ) { |
| 81 | $orderby = sanitize_text_field( $_REQUEST['orderby'] ); |
| 82 | } |
| 83 | |
| 84 | if ( ! empty( $_REQUEST['order'] ) ) { |
| 85 | $order = sanitize_text_field( $_REQUEST['order'] ); |
| 86 | } |
81 | 87 | |
82 | 88 | /** |
83 | 89 | * Filters the full array of plugins to list in the Plugins list table. |
-
diff --git a/src/wp-admin/includes/class-wp-theme-install-list-table.php b/src/wp-admin/includes/class-wp-theme-install-list-table.php
index 475056d8ec..47be64955d 100644
a
|
b
|
class WP_Theme_Install_List_Table extends WP_Themes_List_Table { |
37 | 37 | include( ABSPATH . 'wp-admin/includes/theme-install.php' ); |
38 | 38 | |
39 | 39 | global $tabs, $tab, $paged, $type, $theme_field_defaults; |
40 | | wp_reset_vars( array( 'tab' ) ); |
| 40 | |
| 41 | if ( ! empty( $_REQUEST['tab'] ) ) { |
| 42 | $tab = sanitize_text_field( $_REQUEST['tab'] ); |
| 43 | } |
41 | 44 | |
42 | 45 | $search_terms = array(); |
43 | 46 | $search_string = ''; |
-
diff --git a/src/wp-admin/includes/deprecated.php b/src/wp-admin/includes/deprecated.php
index e65fe5a79c..d67322b872 100644
a
|
b
|
function options_permalink_add_js() { |
1514 | 1514 | </script> |
1515 | 1515 | <?php |
1516 | 1516 | } |
| 1517 | |
| 1518 | /** |
| 1519 | * Resets global variables based on $_GET and $_POST |
| 1520 | * |
| 1521 | * This function resets global variables based on the names passed |
| 1522 | * in the $vars array to the value of $_POST[$var] or $_GET[$var] or '' |
| 1523 | * if neither is defined. |
| 1524 | * |
| 1525 | * @since 2.0.0 |
| 1526 | * @deprecated 5.3.0 |
| 1527 | * |
| 1528 | * @param array $vars An array of globals to reset. |
| 1529 | */ |
| 1530 | function wp_reset_vars( $vars ) { |
| 1531 | |
| 1532 | _deprecated_function( __FUNCTION__, '5.3.0' ); |
| 1533 | |
| 1534 | foreach ( $vars as $var ) { |
| 1535 | if ( empty( $_POST[ $var ] ) ) { |
| 1536 | if ( empty( $_GET[ $var ] ) ) { |
| 1537 | $GLOBALS[ $var ] = ''; |
| 1538 | } else { |
| 1539 | $GLOBALS[ $var ] = $_GET[ $var ]; |
| 1540 | } |
| 1541 | } else { |
| 1542 | $GLOBALS[ $var ] = $_POST[ $var ]; |
| 1543 | } |
| 1544 | } |
| 1545 | } |
-
diff --git a/src/wp-admin/includes/misc.php b/src/wp-admin/includes/misc.php
index d0dc33b913..8525d51dc6 100644
a
|
b
|
function update_home_siteurl( $old_value, $value ) { |
481 | 481 | } |
482 | 482 | } |
483 | 483 | |
484 | | |
485 | | /** |
486 | | * Resets global variables based on $_GET and $_POST |
487 | | * |
488 | | * This function resets global variables based on the names passed |
489 | | * in the $vars array to the value of $_POST[$var] or $_GET[$var] or '' |
490 | | * if neither is defined. |
491 | | * |
492 | | * @since 2.0.0 |
493 | | * |
494 | | * @param array $vars An array of globals to reset. |
495 | | */ |
496 | | function wp_reset_vars( $vars ) { |
497 | | foreach ( $vars as $var ) { |
498 | | if ( empty( $_POST[ $var ] ) ) { |
499 | | if ( empty( $_GET[ $var ] ) ) { |
500 | | $GLOBALS[ $var ] = ''; |
501 | | } else { |
502 | | $GLOBALS[ $var ] = $_GET[ $var ]; |
503 | | } |
504 | | } else { |
505 | | $GLOBALS[ $var ] = $_POST[ $var ]; |
506 | | } |
507 | | } |
508 | | } |
509 | | |
510 | 484 | /** |
511 | 485 | * Displays the given administration message. |
512 | 486 | * |
-
diff --git a/src/wp-admin/link-add.php b/src/wp-admin/link-add.php
index ff617d5777..7bc0cb788b 100644
a
|
b
|
if ( ! current_user_can( 'manage_links' ) ) { |
16 | 16 | $title = __( 'Add New Link' ); |
17 | 17 | $parent_file = 'link-manager.php'; |
18 | 18 | |
19 | | wp_reset_vars( array( 'action', 'cat_id', 'link_id' ) ); |
| 19 | if ( ! empty( $_REQUEST['action'] ) ) { |
| 20 | $action = sanitize_text_field( $_REQUEST['action'] ); |
| 21 | } |
| 22 | |
| 23 | if ( ! empty( $_REQUEST['cat_id'] ) ) { |
| 24 | $cat_id = sanitize_text_field( $_REQUEST['cat_id'] ); |
| 25 | } |
| 26 | |
| 27 | if ( ! empty( $_REQUEST['link_id'] ) ) { |
| 28 | $link_id = absint( $_REQUEST['link_id'] ); |
| 29 | } |
20 | 30 | |
21 | 31 | wp_enqueue_script( 'link' ); |
22 | 32 | wp_enqueue_script( 'xfn' ); |
-
diff --git a/src/wp-admin/link.php b/src/wp-admin/link.php
index ed293bc80b..5accfeba15 100644
a
|
b
|
|
12 | 12 | /** Load WordPress Administration Bootstrap */ |
13 | 13 | require_once( dirname( __FILE__ ) . '/admin.php' ); |
14 | 14 | |
15 | | wp_reset_vars( array( 'action', 'cat_id', 'link_id' ) ); |
| 15 | if ( ! empty( $_REQUEST['action'] ) ) { |
| 16 | $action = sanitize_text_field( $_REQUEST['action'] ); |
| 17 | } |
| 18 | |
| 19 | if ( ! empty( $_REQUEST['cat_id'] ) ) { |
| 20 | $cat_id = sanitize_text_field( $_REQUEST['cat_id'] ); |
| 21 | } |
| 22 | |
| 23 | if ( ! empty( $_REQUEST['link_id'] ) ) { |
| 24 | $link_id = absint( $_REQUEST['link_id'] ); |
| 25 | } |
16 | 26 | |
17 | 27 | if ( ! current_user_can( 'manage_links' ) ) { |
18 | 28 | wp_link_manager_disabled_message(); |
-
diff --git a/src/wp-admin/media.php b/src/wp-admin/media.php
index 40619ea62e..6929cc339d 100644
a
|
b
|
require_once( dirname( __FILE__ ) . '/admin.php' ); |
12 | 12 | $parent_file = 'upload.php'; |
13 | 13 | $submenu_file = 'upload.php'; |
14 | 14 | |
15 | | wp_reset_vars( array( 'action' ) ); |
| 15 | if ( ! empty( $_REQUEST['action'] ) ) { |
| 16 | $action = sanitize_text_field( $_REQUEST['action'] ); |
| 17 | } |
16 | 18 | |
17 | 19 | switch ( $action ) { |
18 | 20 | case 'editattachment': |
-
diff --git a/src/wp-admin/options-head.php b/src/wp-admin/options-head.php
index a0e3a3307c..647c60927f 100644
a
|
b
|
|
8 | 8 | * @subpackage Administration |
9 | 9 | */ |
10 | 10 | |
11 | | wp_reset_vars( array( 'action' ) ); |
| 11 | if ( ! empty( $_REQUEST['action'] ) ) { |
| 12 | $action = sanitize_text_field( $_REQUEST['action'] ); |
| 13 | } |
12 | 14 | |
13 | 15 | if ( isset( $_GET['updated'] ) && isset( $_GET['page'] ) ) { |
14 | 16 | // For back-compat with plugins that don't use the Settings API and just set updated=1 in the redirect. |
-
diff --git a/src/wp-admin/options.php b/src/wp-admin/options.php
index 3bf95c1810..c4dbe3c3df 100644
a
|
b
|
$title = __( 'Settings' ); |
22 | 22 | $this_file = 'options.php'; |
23 | 23 | $parent_file = 'options-general.php'; |
24 | 24 | |
25 | | wp_reset_vars( array( 'action', 'option_page' ) ); |
| 25 | if ( ! empty( $_REQUEST['action'] ) ) { |
| 26 | $action = sanitize_text_field( $_REQUEST['action'] ); |
| 27 | } |
| 28 | |
| 29 | if ( ! empty( $_REQUEST['option_page'] ) ) { |
| 30 | $cat_id = sanitize_text_field( $_REQUEST['option_page'] ); |
| 31 | } |
26 | 32 | |
27 | 33 | $capability = 'manage_options'; |
28 | 34 | |
-
diff --git a/src/wp-admin/post.php b/src/wp-admin/post.php
index 22624dfce2..00586103d5 100644
a
|
b
|
require_once( dirname( __FILE__ ) . '/admin.php' ); |
14 | 14 | $parent_file = 'edit.php'; |
15 | 15 | $submenu_file = 'edit.php'; |
16 | 16 | |
17 | | wp_reset_vars( array( 'action' ) ); |
| 17 | if ( ! empty( $_REQUEST['action'] ) ) { |
| 18 | $action = sanitize_text_field( $_REQUEST['action'] ); |
| 19 | } |
18 | 20 | |
19 | 21 | if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) { |
20 | 22 | wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 ); |
-
diff --git a/src/wp-admin/revision.php b/src/wp-admin/revision.php
index 3e72c86dcd..85ab45e10c 100644
a
|
b
|
require ABSPATH . 'wp-admin/includes/revision.php'; |
21 | 21 | * @global int $from The revision to compare from. |
22 | 22 | * @global int $to Optional, required if revision missing. The revision to compare to. |
23 | 23 | */ |
24 | | wp_reset_vars( array( 'revision', 'action', 'from', 'to' ) ); |
| 24 | if ( ! empty( $_REQUEST['revision'] ) ) { |
| 25 | $revision_id = absint( $_REQUEST['revision'] ); |
| 26 | } |
25 | 27 | |
26 | | $revision_id = absint( $revision ); |
| 28 | if ( ! empty( $_REQUEST['action'] ) ) { |
| 29 | $action = sanitize_text_field( $_REQUEST['action'] ); |
| 30 | } |
27 | 31 | |
28 | | $from = is_numeric( $from ) ? absint( $from ) : null; |
29 | | if ( ! $revision_id ) { |
30 | | $revision_id = absint( $to ); |
| 32 | if ( ! empty( $_REQUEST['from'] ) ) { |
| 33 | $from = is_numeric( $_REQUEST['from'] ) ? absint( $_REQUEST['from'] ) : null; |
31 | 34 | } |
| 35 | |
| 36 | if ( ! empty( $_REQUEST['to'] ) && ! $revision_id ) { |
| 37 | $revision_id = absint( $_REQUEST['to'] ); |
| 38 | } |
| 39 | |
32 | 40 | $redirect = 'edit.php'; |
33 | 41 | |
34 | 42 | switch ( $action ) { |
-
diff --git a/src/wp-admin/theme-editor.php b/src/wp-admin/theme-editor.php
index bf3dcd0677..a17906fba8 100644
a
|
b
|
get_current_screen()->set_help_sidebar( |
52 | 52 | '<p>' . __( '<a href="https://wordpress.org/support/">Support Forums</a>' ) . '</p>' |
53 | 53 | ); |
54 | 54 | |
55 | | wp_reset_vars( array( 'action', 'error', 'file', 'theme' ) ); |
| 55 | if ( ! empty( $_REQUEST['action'] ) ) { |
| 56 | $action = sanitize_text_field( $_REQUEST ); |
| 57 | } |
| 58 | |
| 59 | if ( ! empty( $_REQUEST['error'] ) ) { |
| 60 | $error = true; |
| 61 | } |
| 62 | |
| 63 | if ( ! empty( $_REQUEST['theme'] ) ) { |
| 64 | $theme = sanitize_text_field( $_REQUEST['theme'] ); |
| 65 | } |
| 66 | |
| 67 | if ( ! empty( $_REQUEST['file'] ) ) { |
| 68 | $file = sanitize_text_field( $_REQUEST['file'] ); |
| 69 | } |
56 | 70 | |
57 | 71 | if ( $theme ) { |
58 | 72 | $stylesheet = $theme; |
… |
… |
if ( 'POST' === $_SERVER['REQUEST_METHOD'] ) { |
172 | 186 | } |
173 | 187 | |
174 | 188 | $file_description = get_file_description( $relative_file ); |
175 | | $file_show = array_search( $file, array_filter( $allowed_files ) ); |
| 189 | $file_show = arraysearch( $file, array_filter( $allowed_files ) ); |
176 | 190 | $description = esc_html( $file_description ); |
177 | 191 | if ( $file_description != $file_show ) { |
178 | 192 | $description .= ' <span>(' . esc_html( $file_show ) . ')</span>'; |
-
diff --git a/src/wp-admin/theme-install.php b/src/wp-admin/theme-install.php
index e0fa5cf230..031b0c843a 100644
a
|
b
|
|
10 | 10 | require_once( dirname( __FILE__ ) . '/admin.php' ); |
11 | 11 | require( ABSPATH . 'wp-admin/includes/theme-install.php' ); |
12 | 12 | |
13 | | wp_reset_vars( array( 'tab' ) ); |
| 13 | if ( ! empty( $_REQUEST['tab'] ) ) { |
| 14 | $tab = sanitize_text_field( $_REQUEST['tab'] ); |
| 15 | } |
14 | 16 | |
15 | 17 | if ( ! current_user_can( 'install_themes' ) ) { |
16 | 18 | wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) ); |
-
diff --git a/src/wp-admin/themes.php b/src/wp-admin/themes.php
index 7b0d3b2022..480e750a90 100644
a
|
b
|
if ( current_user_can( 'switch_themes' ) ) { |
150 | 150 | } else { |
151 | 151 | $themes = wp_prepare_themes_for_js( array( wp_get_theme() ) ); |
152 | 152 | } |
153 | | wp_reset_vars( array( 'theme', 'search' ) ); |
| 153 | |
| 154 | if ( ! empty( $_REQUEST['theme'] ) ) { |
| 155 | $theme = sanitize_text_field( $_REQUEST['theme'] ); |
| 156 | } |
| 157 | |
| 158 | if ( ! empty( $_REQUEST['search'] ) ) { |
| 159 | $search = sanitize_text_field( $_REQUEST['search'] ); |
| 160 | } |
154 | 161 | |
155 | 162 | wp_localize_script( |
156 | 163 | 'theme', |
-
diff --git a/src/wp-admin/user-edit.php b/src/wp-admin/user-edit.php
index ccc0a40010..85044a0f56 100644
a
|
b
|
|
9 | 9 | /** WordPress Administration Bootstrap */ |
10 | 10 | require_once( dirname( __FILE__ ) . '/admin.php' ); |
11 | 11 | |
12 | | wp_reset_vars( array( 'action', 'user_id', 'wp_http_referer' ) ); |
| 12 | if ( ! empty( $_REQUEST['action'] ) ) { |
| 13 | $action = sanitize_text_field( $_REQUEST['action'] ); |
| 14 | } |
| 15 | |
| 16 | if ( ! empty( $_REQUEST['user_id'] ) ) { |
| 17 | $user_id = absint( $_REQUEST['user_id'] ); |
| 18 | } |
| 19 | |
| 20 | if ( ! empty( $_REQUEST['wp_http_referer'] ) ) { |
| 21 | $wp_http_referer = sanitize_text_field( $_REQUEST['wp_http_referer'] ); |
| 22 | } |
13 | 23 | |
14 | | $user_id = (int) $user_id; |
15 | 24 | $current_user = wp_get_current_user(); |
16 | 25 | if ( ! defined( 'IS_PROFILE_PAGE' ) ) { |
17 | 26 | define( 'IS_PROFILE_PAGE', ( $user_id == $current_user->ID ) ); |