WordPress.org

Make WordPress Core


Ignore:
Timestamp:
09/19/2017 10:10:35 AM (3 years ago)
Author:
johnbillion
Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Props kawauso, Mte90 for initial patches

Fixes #13377

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/theme-editor.php

    r41376 r41399  
    133133    $file = $allowed_files['style.css'];
    134134} else {
    135     $relative_file = $file;
     135    $relative_file = wp_unslash( $file );
    136136    $file = $theme->get_stylesheet_directory() . '/' . $relative_file;
    137137}
     
    196196<?php endif;
    197197
    198 $description = get_file_description( $relative_file );
     198$file_description = get_file_description( $relative_file );
    199199$file_show = array_search( $file, array_filter( $allowed_files ) );
    200 if ( $description != $file_show )
    201     $description .= ' <span>(' . $file_show . ')</span>';
     200$description = esc_html( $file_description );
     201if ( $file_description != $file_show ) {
     202    $description .= ' <span>(' . esc_html( $file_show ) . ')</span>';
     203}
    202204?>
    203205<div class="wrap">
     
    270272        }
    271273
    272         $file_description = get_file_description( $filename );
     274        $file_description = esc_html( get_file_description( $filename ) );
    273275        if ( $filename !== basename( $absolute_filename ) || $file_description !== $filename ) {
    274             $file_description .= '<br /><span class="nonessential">(' . $filename . ')</span>';
     276            $file_description .= '<br /><span class="nonessential">(' . esc_html( $filename ) . ')</span>';
    275277        }
    276278
Note: See TracChangeset for help on using the changeset viewer.