Changeset 58069 for trunk/src/wp-admin/user-edit.php

Timestamp:

05/01/2024 05:59:05 PM (11 months ago)

Author:

swissspidy

Message:

General: Remove any usage of wp_reset_vars().

The way wp_reset_vars() sets global variables based on $_POST and $_GET values makes code hard to understand and maintain. It also makes it easy to forget to sanitize input.

This change removes the few places where wp_reset_vars() is used in the admin to explicitly use $_REQUEST and sanitize any input.

Props swissspidy, audrasjb, davideferre, killua99, weijland, voldemortensen.
Fixes #38073.

File:

• trunk/src/wp-admin/user-edit.php (modified) (1 diff)

trunk/src/wp-admin/user-edit.php

@@ -13 +13 @@
 require_once ABSPATH . 'wp-admin/includes/translation-install.php';
 
-wp_reset_vars( array( 'action', 'user_id', 'wp_http_referer' ) );
-
-$user_id      = (int) $user_id;
+$action          = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
+$user_id         = ! empty( $_REQUEST['user_id'] ) ? absint( $_REQUEST['user_id'] ) : 0;
+$wp_http_referer = ! empty( $_REQUEST['wp_http_referer'] ) ? sanitize_text_field( $_REQUEST['wp_http_referer'] ) : '';
+
 $current_user = wp_get_current_user();