WordPress.org

Make WordPress Core


Ignore:
Timestamp:
09/19/2017 10:15:56 AM (2 years ago)
Author:
johnbillion
Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41399], with additions, to the 4.8 branch.

See #13377

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/4.8/src/wp-admin/includes/template.php

    r40823 r41412  
    773773    foreach ( array_keys( $templates ) as $template ) {
    774774        $selected = selected( $default, $templates[ $template ], false );
    775         echo "\n\t<option value='" . $templates[ $template ] . "' $selected>$template</option>";
     775        echo "\n\t<option value='" . esc_attr( $templates[ $template ] ) . "' $selected>" . esc_html( $template ) . "</option>";
    776776    }
    777777}
Note: See TracChangeset for help on using the changeset viewer.