WordPress.org

Make WordPress Core


Ignore:
Timestamp:
09/19/2017 10:15:56 AM (2 years ago)
Author:
johnbillion
Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41399], with additions, to the 4.8 branch.

See #13377

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/4.8/src/wp-admin/theme-editor.php

    r38722 r41412  
    100100    $file = $allowed_files['style.css'];
    101101} else {
    102     $relative_file = $file;
     102    $relative_file = wp_unslash( $file );
    103103    $file = $theme->get_stylesheet_directory() . '/' . $relative_file;
    104104}
     
    157157<?php endif;
    158158
    159 $description = get_file_description( $relative_file );
     159$file_description = get_file_description( $relative_file );
    160160$file_show = array_search( $file, array_filter( $allowed_files ) );
    161 if ( $description != $file_show )
    162     $description .= ' <span>(' . $file_show . ')</span>';
     161$description = esc_html( $file_description );
     162if ( $file_description != $file_show ) {
     163    $description .= ' <span>(' . esc_html( $file_show ) . ')</span>';
     164}
    163165?>
    164166<div class="wrap">
     
    231233        }
    232234
    233         $file_description = get_file_description( $filename );
     235        $file_description = esc_html( get_file_description( $filename ) );
    234236        if ( $filename !== basename( $absolute_filename ) || $file_description !== $filename ) {
    235             $file_description .= '<br /><span class="nonessential">(' . $filename . ')</span>';
     237            $file_description .= '<br /><span class="nonessential">(' . esc_html( $filename ) . ')</span>';
    236238        }
    237239
Note: See TracChangeset for help on using the changeset viewer.