Changeset 41399
- Timestamp:
- 09/19/2017 10:10:35 AM (7 years ago)
- Location:
- trunk/src/wp-admin
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-admin/includes/class-wp-plugins-list-table.php
r41290 r41399 599 599 if ( current_user_can( 'manage_network_plugins' ) ) { 600 600 /* translators: %s: plugin name */ 601 $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&plugin=' . $plugin_file. '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Network Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Deactivate' ) . '</a>';601 $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&plugin=' . urlencode( $plugin_file ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Network Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Deactivate' ) . '</a>'; 602 602 } 603 603 } else { 604 604 if ( current_user_can( 'manage_network_plugins' ) ) { 605 605 /* translators: %s: plugin name */ 606 $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&plugin=' . $plugin_file. '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Network Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Activate' ) . '</a>';606 $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&plugin=' . urlencode( $plugin_file ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Network Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Activate' ) . '</a>'; 607 607 } 608 608 if ( current_user_can( 'delete_plugins' ) && ! is_plugin_active( $plugin_file ) ) { 609 609 /* translators: %s: plugin name */ 610 $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&checked[]=' . $plugin_file. '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>';610 $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&checked[]=' . urlencode( $plugin_file ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>'; 611 611 } 612 612 } … … 623 623 if ( current_user_can( 'deactivate_plugin', $plugin_file ) ) { 624 624 /* translators: %s: plugin name */ 625 $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&plugin=' . $plugin_file. '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Deactivate' ) . '</a>';625 $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&plugin=' . urlencode( $plugin_file ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Deactivate' ) . '</a>'; 626 626 } 627 627 } else { 628 628 if ( current_user_can( 'activate_plugin', $plugin_file ) ) { 629 629 /* translators: %s: plugin name */ 630 $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&plugin=' . $plugin_file. '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Activate' ) . '</a>';630 $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&plugin=' . urlencode( $plugin_file ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Activate' ) . '</a>'; 631 631 } 632 632 633 633 if ( ! is_multisite() && current_user_can( 'delete_plugins' ) ) { 634 634 /* translators: %s: plugin name */ 635 $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&checked[]=' . $plugin_file. '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>';635 $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&checked[]=' . urlencode( $plugin_file ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>'; 636 636 } 637 637 } // end if $is_active -
trunk/src/wp-admin/includes/template.php
r41221 r41399 773 773 foreach ( array_keys( $templates ) as $template ) { 774 774 $selected = selected( $default, $templates[ $template ], false ); 775 echo "\n\t<option value='" . $templates[ $template ] . "' $selected>$template</option>";775 echo "\n\t<option value='" . esc_attr( $templates[ $template ] ) . "' $selected>" . esc_html( $template ) . "</option>"; 776 776 } 777 777 } -
trunk/src/wp-admin/plugin-editor.php
r41376 r41399 38 38 $plugin = ''; 39 39 if ( isset( $_REQUEST['file'] ) ) { 40 $file = sanitize_text_field( $_REQUEST['file'] );40 $file = wp_unslash( $_REQUEST['file'] ); 41 41 } 42 42 43 43 if ( isset( $_REQUEST['plugin'] ) ) { 44 $plugin = sanitize_text_field( $_REQUEST['plugin'] );44 $plugin = wp_unslash( $_REQUEST['plugin'] ); 45 45 } 46 46 … … 108 108 109 109 if ( ( ! empty( $_GET['networkwide'] ) && ! is_plugin_active_for_network( $file ) ) || ! is_plugin_active( $file ) ) { 110 activate_plugin( $plugin, "plugin-editor.php?file= $file&phperror=1", ! empty( $_GET['networkwide'] ) );110 activate_plugin( $plugin, "plugin-editor.php?file=" . urlencode( $file ) . "&phperror=1", ! empty( $_GET['networkwide'] ) ); 111 111 } // we'll override this later if the plugin can be included without fatal error 112 112 113 wp_redirect( self_admin_url( "plugin-editor.php?file=$file&plugin=$plugin&a=te&scrollto=$scrollto") );113 wp_redirect( self_admin_url( 'plugin-editor.php?file=' . urlencode( $file ) . '&plugin=' . urlencode( $plugin ) . "&a=te&scrollto=$scrollto" ) ); 114 114 exit; 115 115 } … … 243 243 if ( is_writeable( $real_file ) ) { 244 244 /* translators: %s: plugin file name */ 245 echo sprintf( __( 'Editing %s (active)' ), '<strong>' . $file. '</strong>' );245 echo sprintf( __( 'Editing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' ); 246 246 } else { 247 247 /* translators: %s: plugin file name */ 248 echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . $file. '</strong>' );248 echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' ); 249 249 } 250 250 } else { 251 251 if ( is_writeable( $real_file ) ) { 252 252 /* translators: %s: plugin file name */ 253 echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . $file. '</strong>' );253 echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' ); 254 254 } else { 255 255 /* translators: %s: plugin file name */ 256 echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . $file. '</strong>' );256 echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' ); 257 257 } 258 258 } … … 299 299 } 300 300 ?> 301 <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&plugin=<?php echo urlencode( $plugin ) ?>"><?php echo $plugin_file?></a></li>301 <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&plugin=<?php echo urlencode( $plugin ) ?>"><?php echo esc_html( $plugin_file ); ?></a></li> 302 302 <?php endforeach; ?> 303 303 </ul> -
trunk/src/wp-admin/plugins.php
r41290 r41399 18 18 $action = $wp_list_table->current_action(); 19 19 20 $plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin']: '';20 $plugin = isset($_REQUEST['plugin']) ? wp_unslash( $_REQUEST['plugin'] ) : ''; 21 21 $s = isset($_REQUEST['s']) ? urlencode( wp_unslash( $_REQUEST['s'] ) ) : ''; 22 22 … … 41 41 check_admin_referer('activate-plugin_' . $plugin); 42 42 43 $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . $plugin), is_network_admin() );43 $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . urlencode( $plugin ) ), is_network_admin() ); 44 44 if ( is_wp_error( $result ) ) { 45 45 if ( 'unexpected_output' == $result->get_error_code() ) { 46 $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . $plugin. "&plugin_status=$status&paged=$page&s=$s");46 $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . urlencode( $plugin ) . "&plugin_status=$status&paged=$page&s=$s"); 47 47 wp_redirect(add_query_arg('_error_nonce', wp_create_nonce('plugin-activation-error_' . $plugin), $redirect)); 48 48 exit; … … 75 75 check_admin_referer('bulk-plugins'); 76 76 77 $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked']: array();77 $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array(); 78 78 79 79 if ( is_network_admin() ) { … … 128 128 129 129 if ( isset( $_GET['plugins'] ) ) 130 $plugins = explode( ',', $_GET['plugins']);130 $plugins = explode( ',', wp_unslash( $_GET['plugins'] ) ); 131 131 elseif ( isset( $_POST['checked'] ) ) 132 $plugins = (array) $_POST['checked'];132 $plugins = (array) wp_unslash( $_POST['checked'] ); 133 133 else 134 134 $plugins = array(); … … 206 206 check_admin_referer('bulk-plugins'); 207 207 208 $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked']: array();208 $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array(); 209 209 // Do not deactivate plugins which are already deactivated. 210 210 if ( is_network_admin() ) { … … 251 251 252 252 //$_POST = from the plugin form; $_GET = from the FTP details screen. 253 $plugins = isset( $_REQUEST['checked'] ) ? (array) $_REQUEST['checked']: array();253 $plugins = isset( $_REQUEST['checked'] ) ? (array) wp_unslash( $_REQUEST['checked'] ) : array(); 254 254 if ( empty( $plugins ) ) { 255 255 wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") ); … … 385 385 if ( isset( $_POST['checked'] ) ) { 386 386 check_admin_referer('bulk-plugins'); 387 $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked']: array();387 $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array(); 388 388 $sendback = wp_get_referer(); 389 389 -
trunk/src/wp-admin/theme-editor.php
r41376 r41399 133 133 $file = $allowed_files['style.css']; 134 134 } else { 135 $relative_file = $file;135 $relative_file = wp_unslash( $file ); 136 136 $file = $theme->get_stylesheet_directory() . '/' . $relative_file; 137 137 } … … 196 196 <?php endif; 197 197 198 $ description = get_file_description( $relative_file );198 $file_description = get_file_description( $relative_file ); 199 199 $file_show = array_search( $file, array_filter( $allowed_files ) ); 200 if ( $description != $file_show ) 201 $description .= ' <span>(' . $file_show . ')</span>'; 200 $description = esc_html( $file_description ); 201 if ( $file_description != $file_show ) { 202 $description .= ' <span>(' . esc_html( $file_show ) . ')</span>'; 203 } 202 204 ?> 203 205 <div class="wrap"> … … 270 272 } 271 273 272 $file_description = get_file_description( $filename);274 $file_description = esc_html( get_file_description( $filename ) ); 273 275 if ( $filename !== basename( $absolute_filename ) || $file_description !== $filename ) { 274 $file_description .= '<br /><span class="nonessential">(' . $filename. ')</span>';276 $file_description .= '<br /><span class="nonessential">(' . esc_html( $filename ) . ')</span>'; 275 277 } 276 278
Note: See TracChangeset
for help on using the changeset viewer.