Context Navigation

← Previous Change
Next Change →

plugin-editor.php

Timestamp:

09/19/2017 01:50:05 PM (8 years ago)

Author:

johnbillion

Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41434] with changes to the 3.7 branch.

See #13377

Location:

branches/3.7

Files:

: 3 edited

. (modified) (1 prop)
src (modified) (1 prop)
src/wp-admin/plugin-editor.php (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

branches/3.7

Property svn:mergeinfo changed

/branches/3.8	merged: 41452
/branches/3.9	merged: 41449
/branches/4.0 (added)	merged: 41447
/branches/4.1 (added)	merged: 41446
/branches/4.2	merged: 41445
/branches/4.3	merged: 41444
/branches/4.4 (added)	merged: 41434
/branches/4.5 (added)	merged: 41415-41416
/branches/4.6	merged: 41414

branches/3.7/src
- Property svn:mergeinfo changed
  /branches/3.8/src (added) merged: 41452

branches/3.7/src/wp-admin/plugin-editor.php

-                      r25616
+                      r41456
         if ( ( ! empty( $_GET['networkwide'] ) && ! is_plugin_active_for_network($file) ) || ! is_plugin_active($file) )
             activate_plugin($file, "plugin-editor.php?file=$file&phperror=1", ! empty( $_GET['networkwide'] ) ); // we'll override this later if the plugin can be included without fatal error
         wp_redirect( self_admin_url("plugin-editor.php?file=$file&a=te&scrollto=$scrollto") );
+            activate_plugin($file, "plugin-editor.php?file=" . urlencode( $file ) . "&phperror=1", ! empty( $_GET['networkwide'] ) ); // we'll override this later if the plugin can be included without fatal error
+        wp_redirect( self_admin_url("plugin-editor.php?file=" . urlencode( $file ) . "&a=te&scrollto=$scrollto") );
         exit;
+    }
 …
     if ( is_plugin_active($plugin) ) {
         if ( is_writeable($real_file) )
             echo sprintf(__('Editing <strong>%s</strong> (active)'), $file);
+            echo sprintf(__('Editing <strong>%s</strong> (active)'), esc_html( $file ) );
         else
             echo sprintf(__('Browsing <strong>%s</strong> (active)'), $file);
+            echo sprintf(__('Browsing <strong>%s</strong> (active)'), esc_html( $file ) );
     } else {
         if ( is_writeable($real_file) )
             echo sprintf(__('Editing <strong>%s</strong> (inactive)'), $file);
+            echo sprintf(__('Editing <strong>%s</strong> (inactive)'), esc_html( $file ) );
         else
             echo sprintf(__('Browsing <strong>%s</strong> (inactive)'), $file);
+            echo sprintf(__('Browsing <strong>%s</strong> (inactive)'), esc_html( $file ) );
+    }
     ?></big>
 …
+    }
 ?>
         <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo $plugin_file ?></a></li>
+        <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&amp;plugin=<?php echo urlencode( $plugin ) ?>"><?php echo esc_html( $plugin_file ); ?></a></li>
 <?php endforeach; ?>
     </ul>

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core

Context Navigation

Changeset 41456 for branches/3.7/src/wp-admin/plugin-editor.php

Legend:

branches/3.7

branches/3.7/src

branches/3.7/src/wp-admin/plugin-editor.php

Download in other formats: