Make WordPress Core

Ticket #38744: 38744-fixes.diff

File 38744-fixes.diff, 2.1 KB (added by santilinwp, 5 years ago)

Patch that works-for-me

  • .gitignore

    diff --git a/.gitignore b/.gitignore
    index e4d192e0ef..55410a124c 100644
    a b wp-tests-config.php 
    7272*.diff
    7373.svn
    7474!/src/js/_enqueues/vendor
     75/nbproject/private/
     76 No newline at end of file
  • src/wp-admin/includes/user.php

    diff --git a/src/wp-admin/includes/user.php b/src/wp-admin/includes/user.php
    index 558ff24970..7d98c82d5d 100644
    a b function edit_user( $user_id = 0 ) { 
    4141        }
    4242
    4343        if ( ! $update && isset( $_POST['user_login'] ) ) {
    44                 $user->user_login = sanitize_user( $_POST['user_login'], true );
     44                $user->user_login = sanitize_user( wp_unslash( $_POST['user_login'] ), true );
    4545        }
    4646
    4747        $pass1 = $pass2 = '';
  • src/wp-includes/user.php

    diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
    index 3819f21f6f..91851cb657 100644
    a b function wp_signon( $credentials = array(), $secure_cookie = '' ) { 
    3535                $credentials = array(); // Back-compat for plugins passing an empty string.
    3636
    3737                if ( ! empty( $_POST['log'] ) ) {
    38                         $credentials['user_login'] = $_POST['log'];
     38                        $credentials['user_login'] = wp_unslash( $_POST['log'] );
    3939                }
    4040                if ( ! empty( $_POST['pwd'] ) ) {
    4141                        $credentials['user_password'] = $_POST['pwd'];
  • src/wp-login.php

    diff --git a/src/wp-login.php b/src/wp-login.php
    index d9b2554783..e2d49f3d63 100644
    a b switch ( $action ) { 
    796796
    797797                if ( $http_post ) {
    798798                        if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
    799                                 $user_login = $_POST['user_login'];
     799                                $user_login = wp_unslash( $_POST['user_login']);
    800800                        }
    801801
    802802                        if ( isset( $_POST['user_email'] ) && is_string( $_POST['user_email'] ) ) {
    switch ( $action ) { 
    904904
    905905                // If the user wants SSL but the session is not SSL, force a secure cookie.
    906906                if ( ! empty( $_POST['log'] ) && ! force_ssl_admin() ) {
    907                         $user_name = sanitize_user( $_POST['log'] );
     907                        $user_name = sanitize_user( wp_unslash( $_POST['log'] ));
    908908                        $user      = get_user_by( 'login', $user_name );
    909909
    910910                        if ( ! $user && strpos( $user_name, '@' ) ) {