Make WordPress Core

Changeset 36560


Ignore:
Timestamp:
02/17/2016 08:14:37 PM (9 years ago)
Author:
ocean90
Message:

Plugins: Remove slashes from search terms and use urldecode() in non-URL contexts.

Fixes #35712.

Location:
trunk/src/wp-admin
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-plugins-list-table.php

    r36302 r36560  
    269269
    270270    /**
    271      * @global string $s
     271     * @global string $s URL encoded search term.
    272272     *
    273273     * @param array $plugin
     
    278278
    279279        foreach ( $plugin as $value ) {
    280             if ( is_string( $value ) && false !== stripos( strip_tags( $value ), $s ) ) {
     280            if ( is_string( $value ) && false !== stripos( strip_tags( $value ), urldecode( $s ) ) ) {
    281281                return true;
    282282            }
     
    317317
    318318        if ( ! empty( $_REQUEST['s'] ) ) {
    319             $s = esc_html( $_REQUEST['s'] );
     319            $s = esc_html( wp_unslash( $_REQUEST['s'] ) );
    320320
    321321            printf( __( 'No plugins found for “%s”.' ), $s );
  • trunk/src/wp-admin/plugins.php

    r36302 r36560  
    1919
    2020$plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : '';
    21 $s = isset($_REQUEST['s']) ? urlencode($_REQUEST['s']) : '';
     21$s = isset($_REQUEST['s']) ? urlencode( wp_unslash( $_REQUEST['s'] ) ) : '';
    2222
    2323// Clean up request URI from temporary args for screen options/paging uri's to work as expected.
     
    487487if ( strlen( $s ) ) {
    488488    /* translators: %s: search keywords */
    489     printf( '<span class="subtitle">' . __( 'Search results for &#8220;%s&#8221;' ) . '</span>', esc_html( $s ) );
     489    printf( '<span class="subtitle">' . __( 'Search results for &#8220;%s&#8221;' ) . '</span>', esc_html( urldecode( $s ) ) );
    490490}
    491491?>
Note: See TracChangeset for help on using the changeset viewer.