Make WordPress Core

Ticket #54160: 54160.2.diff

File 54160.2.diff, 2.3 KB (added by dd32, 3 years ago)
  • wp-includes/theme.php

    function _wp_customize_include() { 
    33573357        );
    33583358
    33593359        $theme             = null;
    33603360        $autosaved         = null;
    33613361        $messenger_channel = null;
    33623362
    33633363        // Value false indicates UUID should be determined after_setup_theme
    33643364        // to either re-use existing saved changeset or else generate a new UUID if none exists.
    33653365        $changeset_uuid = false;
    33663366
    33673367        // Set initially fo false since defaults to true for back-compat;
    33683368        // can be overridden via the customize_changeset_branching filter.
    33693369        $branching = false;
    33703370
    33713371        if ( $is_customize_admin_page && isset( $input_vars['changeset_uuid'] ) ) {
    3372                 $changeset_uuid = sanitize_key( $input_vars['changeset_uuid'] );
     3372                $changeset_uuid = $input_vars['changeset_uuid'];
    33733373        } elseif ( ! empty( $input_vars['customize_changeset_uuid'] ) ) {
    3374                 $changeset_uuid = sanitize_key( $input_vars['customize_changeset_uuid'] );
     3374                $changeset_uuid = $input_vars['customize_changeset_uuid'];
     3375        }
     3376
     3377        // Sanitize UUID
     3378        if ( $changeset_uuid && ! wp_is_uuid( $changeset_uuid ) ) {
     3379                $changeset_uuid = false;
    33753380        }
    33763381
    33773382        // Note that theme will be sanitized via WP_Theme.
    33783383        if ( $is_customize_admin_page && isset( $input_vars['theme'] ) ) {
    33793384                $theme = $input_vars['theme'];
    33803385        } elseif ( isset( $input_vars['customize_theme'] ) ) {
    33813386                $theme = $input_vars['customize_theme'];
    33823387        }
    33833388
    33843389        if ( ! empty( $input_vars['customize_autosaved'] ) ) {
    33853390                $autosaved = true;
    33863391        }
    33873392
    3388         if ( isset( $input_vars['customize_messenger_channel'] ) ) {
     3393        if ( isset( $input_vars['customize_messenger_channel'] ) && is_string( $input_vars['customize_messenger_channel'] ) ) {
    33893394                $messenger_channel = sanitize_key( $input_vars['customize_messenger_channel'] );
    33903395        }
    33913396
    33923397        /*
    33933398         * Note that settings must be previewed even outside the customizer preview
    33943399         * and also in the customizer pane itself. This is to enable loading an existing
    33953400         * changeset into the customizer. Previewing the settings only has to be prevented
    33963401         * here in the case of a customize_save action because this will cause WP to think
    33973402         * there is nothing changed that needs to be saved.
    33983403         */
    33993404        $is_customize_save_action = (
    34003405                wp_doing_ajax()
    34013406                &&
    34023407                isset( $_REQUEST['action'] )
    34033408                &&