WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#20862 closed defect (bug) (fixed)

Limit false positives when enabling WP_Customize_Manager

Reported by: nacin Owned by: ryan
Milestone: 3.4 Priority: lowest
Severity: major Version: 3.4
Component: Customize Keywords:
Focuses: Cc:

Description

I'm doing some final reviews of some of our more intricate 3.4 features, to see where plugin conflicts are most likely.

For instantiating the customizer, this is our current check:

( isset( $_REQUEST['customize'] ) && 'on' == $_REQUEST['customize'] ) || 'customize.php' == basename( $_SERVER['PHP_SELF'] )
  1. While ?customize=something in itself will not conflict with this (we avoid registering a query var), we should consider making this $_REQUEST['wp_customize'] to avoid any chance of ?customize=on conflicting with a theme. Since we now have customize.php for direct URL access, it won't make our user-side URLs any uglier.
  1. That customize.php check will catch plugins with a customize.php file that is directly accessed. While this is going to be a rare conflict, we should include an is_admin() check to ensure we are only looking in the wp-admin directory.

Severity = major in that things will break if there is a conflict. Priority = lowest in that the chance of a conflict is rare.

Attachments (1)

20862.diff (2.3 KB) - added by nacin 3 years ago.

Download all attachments as: .zip

Change History (2)

@nacin3 years ago

comment:1 @ryan3 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In [21016]:

Namespace the customize request arg to prevent collision with plugins and themes. Props nacin. fixes #20862

Note: See TracTickets for help on using tickets.