WordPress.org

Make WordPress Core


Ignore:
Timestamp:
09/19/2017 12:12:15 PM (3 years ago)
Author:
johnbillion
Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41415] and [41416] into the 4.4 branch.

See #13377

Location:
branches/4.4
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.4

  • branches/4.4/src/wp-admin/plugin-editor.php

    r35107 r41434  
    9797
    9898        if ( ( ! empty( $_GET['networkwide'] ) && ! is_plugin_active_for_network($file) ) || ! is_plugin_active($file) )
    99             activate_plugin($file, "plugin-editor.php?file=$file&phperror=1", ! empty( $_GET['networkwide'] ) ); // we'll override this later if the plugin can be included without fatal error
    100 
    101         wp_redirect( self_admin_url("plugin-editor.php?file=$file&a=te&scrollto=$scrollto") );
     99            activate_plugin($file, "plugin-editor.php?file=" . urlencode( $file ) . "&phperror=1", ! empty( $_GET['networkwide'] ) ); // we'll override this later if the plugin can be included without fatal error
     100
     101        wp_redirect( self_admin_url("plugin-editor.php?file=" . urlencode( $file ) . "&a=te&scrollto=$scrollto") );
    102102        exit;
    103103    }
     
    192192        if ( is_writeable( $real_file ) ) {
    193193            /* translators: %s: plugin file name */
    194             echo sprintf( __( 'Editing %s (active)' ), '<strong>' . $file . '</strong>' );
     194            echo sprintf( __( 'Editing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    195195        } else {
    196196            /* translators: %s: plugin file name */
    197             echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . $file . '</strong>' );
     197            echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    198198        }
    199199    } else {
    200200        if ( is_writeable( $real_file ) ) {
    201201            /* translators: %s: plugin file name */
    202             echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . $file . '</strong>' );
     202            echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    203203        } else {
    204204            /* translators: %s: plugin file name */
    205             echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . $file . '</strong>' );
     205            echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' );
    206206        }
    207207    }
     
    248248    }
    249249?>
    250         <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo $plugin_file ?></a></li>
     250        <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo esc_html( $plugin_file ); ?></a></li>
    251251<?php endforeach; ?>
    252252    </ul>
Note: See TracChangeset for help on using the changeset viewer.