Changeset 41399 for trunk/src/wp-admin/includes/template.php

Timestamp:

09/19/2017 10:10:35 AM (8 years ago)

Author:

johnbillion

Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Props kawauso, Mte90 for initial patches

Fixes #13377

File:

• trunk/src/wp-admin/includes/template.php (modified) (1 diff)

trunk/src/wp-admin/includes/template.php

@@ -773 +773 @@
     foreach ( array_keys( $templates ) as $template ) {
         $selected = selected( $default, $templates[ $template ], false );
-        echo "\n\t<option value='" . $templates[ $template ] . "' $selected>$template</option>";
+        echo "\n\t<option value='" . esc_attr( $templates[ $template ] ) . "' $selected>" . esc_html( $template ) . "</option>";
     }
 }