Changeset 58069 for trunk/src/wp-admin/revision.php

Timestamp:

05/01/2024 05:59:05 PM (11 months ago)

Author:

swissspidy

Message:

General: Remove any usage of wp_reset_vars().

The way wp_reset_vars() sets global variables based on $_POST and $_GET values makes code hard to understand and maintain. It also makes it easy to forget to sanitize input.

This change removes the few places where wp_reset_vars() is used in the admin to explicitly use $_REQUEST and sanitize any input.

Props swissspidy, audrasjb, davideferre, killua99, weijland, voldemortensen.
Fixes #38073.

File:

• trunk/src/wp-admin/revision.php (modified) (1 diff)

trunk/src/wp-admin/revision.php

@@ -22 +22 @@
  * @global int    $to       Optional, required if revision missing. The revision to compare to.
  */
-wp_reset_vars( array( 'revision', 'action', 'from', 'to' ) );
 
-$revision_id = absint( $revision );
+$revision_id = ! empty( $_REQUEST['revision'] ) ? absint( $_REQUEST['revision'] ) : 0;
+$action      = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
+$from        = ! empty( $_REQUEST['from'] ) && is_numeric( $_REQUEST['from'] ) ? absint( $_REQUEST['from'] ) : null;
+$to          = ! empty( $_REQUEST['to'] ) && is_numeric( $_REQUEST['to'] ) ? absint( $_REQUEST['to'] ) : null;
 
-$from = is_numeric( $from ) ? absint( $from ) : null;
 if ( ! $revision_id ) {
-    $revision_id = absint( $to );
+    $revision_id = $to;
 }
+
 $redirect = 'edit.php';