WordPress.org

Make WordPress Core


Ignore:
Timestamp:
09/19/2017 10:15:56 AM (2 years ago)
Author:
johnbillion
Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41399], with additions, to the 4.8 branch.

See #13377

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/4.8/src/wp-admin/plugin-editor.php

    r38745 r41412  
    3838$plugin = '';
    3939if ( isset( $_REQUEST['file'] ) ) {
    40     $file = sanitize_text_field( $_REQUEST['file'] );
     40    $file = wp_unslash( $_REQUEST['file'] );
    4141}
    4242
    4343if ( isset( $_REQUEST['plugin'] ) ) {
    44     $plugin = sanitize_text_field( $_REQUEST['plugin'] );
     44    $plugin = wp_unslash( $_REQUEST['plugin'] );
    4545}
    4646
     
    108108
    109109        if ( ( ! empty( $_GET['networkwide'] ) && ! is_plugin_active_for_network( $file ) ) || ! is_plugin_active( $file ) ) {
    110             activate_plugin( $plugin, "plugin-editor.php?file=$file&phperror=1", ! empty( $_GET['networkwide'] ) );
     110            activate_plugin( $plugin, "plugin-editor.php?file=" . urlencode( $file ) . "&phperror=1", ! empty( $_GET['networkwide'] ) );
    111111        } // we'll override this later if the plugin can be included without fatal error
    112112
    113         wp_redirect( self_admin_url("plugin-editor.php?file=$file&plugin=$plugin&a=te&scrollto=$scrollto") );
     113        wp_redirect( self_admin_url( 'plugin-editor.php?file=' . urlencode( $file ) . '&plugin=' . urlencode( $plugin ) . "&a=te&scrollto=$scrollto" ) );
    114114        exit;
    115115    }
     
    204204        if ( is_writeable( $real_file ) ) {
    205205            /* translators: %s: plugin file name */
    206             echo sprintf( __( 'Editing %s (active)' ), '<strong>' . $file . '</strong>' );
     206            echo sprintf( __( 'Editing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    207207        } else {
    208208            /* translators: %s: plugin file name */
    209             echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . $file . '</strong>' );
     209            echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    210210        }
    211211    } else {
    212212        if ( is_writeable( $real_file ) ) {
    213213            /* translators: %s: plugin file name */
    214             echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . $file . '</strong>' );
     214            echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    215215        } else {
    216216            /* translators: %s: plugin file name */
    217             echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . $file . '</strong>' );
     217            echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    218218        }
    219219    }
     
    260260    }
    261261?>
    262         <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo $plugin_file ?></a></li>
     262        <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo esc_html( $plugin_file ); ?></a></li>
    263263<?php endforeach; ?>
    264264    </ul>
Note: See TracChangeset for help on using the changeset viewer.