WordPress.org

Make WordPress Core

Changeset 36560


Ignore:
Timestamp:
02/17/16 20:14:37 (19 months ago)
Author:
ocean90
Message:

Plugins: Remove slashes from search terms and use urldecode() in non-URL contexts.

Fixes #35712.

Location:
trunk/src/wp-admin
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-plugins-list-table.php

    r36302 r36560  
    269269 
    270270    /** 
    271      * @global string $s 
     271     * @global string $s URL encoded search term. 
    272272     * 
    273273     * @param array $plugin 
     
    278278 
    279279        foreach ( $plugin as $value ) { 
    280             if ( is_string( $value ) && false !== stripos( strip_tags( $value ), $s ) ) { 
     280            if ( is_string( $value ) && false !== stripos( strip_tags( $value ), urldecode( $s ) ) ) { 
    281281                return true; 
    282282            } 
     
    317317 
    318318        if ( ! empty( $_REQUEST['s'] ) ) { 
    319             $s = esc_html( $_REQUEST['s'] ); 
     319            $s = esc_html( wp_unslash( $_REQUEST['s'] ) ); 
    320320 
    321321            printf( __( 'No plugins found for “%s”.' ), $s ); 
  • trunk/src/wp-admin/plugins.php

    r36302 r36560  
    1919 
    2020$plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : ''; 
    21 $s = isset($_REQUEST['s']) ? urlencode($_REQUEST['s']) : ''; 
     21$s = isset($_REQUEST['s']) ? urlencode( wp_unslash( $_REQUEST['s'] ) ) : ''; 
    2222 
    2323// Clean up request URI from temporary args for screen options/paging uri's to work as expected. 
     
    487487if ( strlen( $s ) ) { 
    488488    /* translators: %s: search keywords */ 
    489     printf( '<span class="subtitle">' . __( 'Search results for &#8220;%s&#8221;' ) . '</span>', esc_html( $s ) ); 
     489    printf( '<span class="subtitle">' . __( 'Search results for &#8220;%s&#8221;' ) . '</span>', esc_html( urldecode( $s ) ) ); 
    490490} 
    491491?> 
Note: See TracChangeset for help on using the changeset viewer.