Make WordPress Core


Ignore:
Timestamp:
06/10/2020 06:15:48 PM (5 years ago)
Author:
whyisjake
Message:

General: Backport several commits for release.

Embeds: Ensure that the title attribute is set correctly on embeds.
Editor: Prevent HTML decoding on by setting the proper editor context.
Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
Themes: Ensure a broken theme name is returned properly.
Administration: Add a new filter to extend set-screen-option.

Merges [47947-47951] to the 3.7 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.

Location:
branches/3.7
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/3.7

  • branches/3.7/src

  • branches/3.7/src/wp-includes/pluggable.php

    r46505 r47962  
    930930 **/
    931931function wp_sanitize_redirect($location) {
    932     $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!]|i', '', $location);
     932    $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%!@]|i', '', $location);
    933933    $location = wp_kses_no_null($location);
    934934
     
    987987 **/
    988988function wp_validate_redirect($location, $default = '') {
    989     $location = trim( $location, " \t\n\r\0\x08\x0B" );
     989    $location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) );
    990990    // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
    991991    if ( substr($location, 0, 2) == '//' )
Note: See TracChangeset for help on using the changeset viewer.