Changes in trunk/wp-admin/theme-editor.php [3295:4349]

File:

• trunk/wp-admin/theme-editor.php (modified) (8 diffs)

trunk/wp-admin/theme-editor.php

@@ -5 +5 @@
 $parent_file = 'themes.php';
 
-$wpvarstoreset = array('action','redirect','profile','error','warning','a','file', 'theme');
-for ($i=0; $i<count($wpvarstoreset); $i += 1) {
-    $wpvar = $wpvarstoreset[$i];
-    if (!isset($$wpvar)) {
-        if (empty($_POST["$wpvar"])) {
-            if (empty($_GET["$wpvar"])) {
-                $$wpvar = '';
-            } else {
-                $$wpvar = $_GET["$wpvar"];
-            }
-        } else {
-            $$wpvar = $_POST["$wpvar"];
-        }
-    }
-}
+wp_reset_vars(array('action', 'redirect', 'profile', 'error', 'warning', 'a', 'file', 'theme'));
 
 $themes = get_themes();
@@ -31 +17 @@
 
 if ( ! isset($themes[$theme]) )
-    die(__('The requested theme does not exist.'));
+    wp_die(__('The requested theme does not exist.'));
 
 $allowed_files = array_merge($themes[$theme]['Stylesheet Files'], $themes[$theme]['Template Files']);
@@ -48 +34 @@
 case 'update':
 
+    check_admin_referer('edit-theme_' . $file . $theme);
+
     if ( !current_user_can('edit_themes') )
-    die('<p>'.__('You have do not have sufficient permissions to edit templates for this blog.').'</p>');
+        wp_die('<p>'.__('You do not have sufficient permissions to edit templates for this blog.').'</p>');
 
     $newcontent = stripslashes($_POST['newcontent']);
@@ -57 +45 @@
         fwrite($f, $newcontent);
         fclose($f);
-        header("Location: theme-editor.php?file=$file&theme=$theme&a=te");
+        $location = "theme-editor.php?file=$file&theme=$theme&a=te";
     } else {
-        header("Location: theme-editor.php?file=$file&theme=$theme");
+        $location = "theme-editor.php?file=$file&theme=$theme";
     }
 
+    $location = wp_kses_no_null($location);
+    $strip = array('%0d', '%0a');
+    $location = str_replace($strip, '', $location);
+    header("Location: $location");
     exit();
 
@@ -67 +59 @@
 
 default:
-    
+
+    if ( !current_user_can('edit_themes') )
+        wp_die('<p>'.__('You do not have sufficient permissions to edit themes for this blog.').'</p>');
+
     require_once('admin-header.php');
-    if ( !current_user_can('edit_themes') )
-    die('<p>'.__('You have do not have sufficient permissions to edit themes for this blog.').'</p>');
 
     update_recently_edited($file);
-    
+
     if (!is_file($real_file))
         $error = 1;
-    
+
     if (!$error && filesize($real_file) > 0) {
         $f = fopen($real_file, 'r');
@@ -101 +94 @@
 ?>
  </select>
- <input type="submit" name="Submit" value="<?php _e('Select') ?> &raquo;" />
+ <input type="submit" name="Submit" value="<?php _e('Select &raquo;') ?>" class="button" />
  </form>
  </div>
@@ -130 +123 @@
     ?> 
   <form name="template" id="template" action="theme-editor.php" method="post">
+  <?php wp_nonce_field('edit-theme_' . $file . $theme) ?>
          <div><textarea cols="70" rows="25" name="newcontent" id="newcontent" tabindex="1"><?php echo $content ?></textarea> 
      <input type="hidden" name="action" value="update" /> 
@@ -138 +132 @@
      <p class="submit">
 <?php
-    echo "<input type='submit' name='submit' value='    " . __('Update File') . " &raquo;' tabindex='2' />";
+    echo "<input type='submit' name='submit' value='    " . __('Update File &raquo;') . "' tabindex='2' />";
 ?>
 </p>