WordPress.org

Make WordPress Core


Ignore:
Timestamp:
09/19/2017 10:21:45 AM (2 years ago)
Author:
johnbillion
Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41413] to the 4.6 branch

See #13377

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/4.6/src/wp-admin/includes/template.php

    r38226 r41414  
    770770    foreach ( array_keys( $templates ) as $template ) {
    771771        $selected = selected( $default, $templates[ $template ], false );
    772         echo "\n\t<option value='" . $templates[ $template ] . "' $selected>$template</option>";
     772        echo "\n\t<option value='" . esc_attr( $templates[ $template ] ) . "' $selected>" . esc_html( $template ) . "</option>";
    773773    }
    774774}
Note: See TracChangeset for help on using the changeset viewer.