Changeset 41449 for branches/3.9/src/wp-admin/theme-editor.php

Timestamp:

09/19/2017 01:43:28 PM (8 years ago)

Author:

johnbillion

Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41434] with changes to the 3.9 branch.

See #13377

Location:

branches/3.9

Files:

• . (modified) (1 prop)
• src/wp-admin/theme-editor.php (modified) (3 diffs)

branches/3.9/src/wp-admin/theme-editor.php

@@ -69 +69 @@
     $file = $allowed_files['style.css'];
 } else {
-    $relative_file = $file;
+    $relative_file = wp_unslash( $file );
     $file = $theme->get_stylesheet_directory() . '/' . $relative_file;
 }
@@ -128 +128 @@
 <?php endif;
 
-$description = get_file_description( $file );
+$file_description = get_file_description( $relative_file );
 $file_show = array_search( $file, array_filter( $allowed_files ) );
-if ( $description != $file_show )
-    $description .= ' <span>(' . $file_show . ')</span>';
+$description = esc_html( $file_description );
+if ( $file_description != $file_show ) {
+    $description .= ' <span>(' . esc_html( $file_show ) . ')</span>';
+}
 ?>
 <div class="wrap">
@@ -180 +182 @@
             echo "\t</ul>\n\t<h3>" . _x( 'Styles', 'Theme stylesheets in theme editor' ) . "</h3>\n\t<ul>\n";
 
-        $file_description = get_file_description( $absolute_filename );
+        $file_description = esc_html( get_file_description( $filename ) );
         if ( $file_description != basename( $filename ) )
-            $file_description .= '<br /><span class="nonessential">(' . $filename . ')</span>';
+            $file_description .= '<br /><span class="nonessential">(' . esc_html( $filename ) . ')</span>';
 
         if ( $absolute_filename == $file )