diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php index 02254ec454..41708f0d4c 100644 --- a/wp-admin/admin-ajax.php +++ b/wp-admin/admin-ajax.php @@ -146,36 +146,38 @@ if ( ! empty( $_POST['action'] ) && in_array( $_POST['action'], $core_actions_po add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 ); +$action = ( isset( $_REQUEST['action'] ) ) ? $_REQUEST['action'] : ''; + if ( is_user_logged_in() ) { // If no action is registered, return a Bad Request response. - if ( ! has_action( 'wp_ajax_' . $_REQUEST['action'] ) ) { + if ( ! has_action( "wp_ajax_{$action}" ) ) { wp_die( '0', 400 ); } /** * Fires authenticated Ajax actions for logged-in users. * - * The dynamic portion of the hook name, `$_REQUEST['action']`, - * refers to the name of the Ajax action callback being fired. + * The dynamic portion of the hook name, `$action`, refers + * to the name of the Ajax action callback being fired. * * @since 2.1.0 */ - do_action( 'wp_ajax_' . $_REQUEST['action'] ); + do_action( "wp_ajax_{$action}" ); } else { // If no action is registered, return a Bad Request response. - if ( ! has_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ) ) { + if ( ! has_action( "wp_ajax_nopriv_{$action}" ) ) { wp_die( '0', 400 ); } /** * Fires non-authenticated Ajax actions for logged-out users. * - * The dynamic portion of the hook name, `$_REQUEST['action']`, - * refers to the name of the Ajax action callback being fired. + * The dynamic portion of the hook name, `$action`, refers + * to the name of the Ajax action callback being fired. * * @since 2.8.0 */ - do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ); + do_action( "wp_ajax_nopriv_{$action}" ); } // Default status wp_die( '0' ); diff --git a/wp-admin/admin.php b/wp-admin/admin.php index 8c3fc2c39a..a3dab04d3d 100644 --- a/wp-admin/admin.php +++ b/wp-admin/admin.php @@ -372,13 +372,15 @@ if ( isset( $plugin_page ) ) { } if ( ! empty( $_REQUEST['action'] ) ) { + $action = $_REQUEST['action']; + /** * Fires when an 'action' request variable is sent. * - * The dynamic portion of the hook name, `$_REQUEST['action']`, - * refers to the action derived from the `GET` or `POST` request. + * The dynamic portion of the hook name, `$action`, refers to + * the action derived from the `GET` or `POST` request. * * @since 2.6.0 */ - do_action( 'admin_action_' . $_REQUEST['action'] ); + do_action( "admin_action_{$action}" ); } diff --git a/wp-admin/network/edit.php b/wp-admin/network/edit.php index 66f1942624..51381e40bf 100644 --- a/wp-admin/network/edit.php +++ b/wp-admin/network/edit.php @@ -10,7 +10,9 @@ /** Load WordPress Administration Bootstrap */ require_once( dirname( __FILE__ ) . '/admin.php' ); -if ( empty( $_GET['action'] ) ) { +$action = ( isset( $_GET['action'] ) ) ? $_GET['action'] : ''; + +if ( empty( $action ) ) { wp_redirect( network_admin_url() ); exit; } @@ -28,12 +30,12 @@ do_action( 'wpmuadminedit' ); /** * Fires the requested handler action. * - * The dynamic portion of the hook name, `$_GET['action']`, refers to the name - * of the requested action. + * The dynamic portion of the hook name, `$action`, refers to the name + * of the requested action derived from the `GET` request. * * @since 3.1.0 */ -do_action( 'network_admin_edit_' . $_GET['action'] ); +do_action( "network_admin_edit_{$action}" ); wp_redirect( network_admin_url() ); exit(); diff --git a/wp-admin/network/sites.php b/wp-admin/network/sites.php index 9d0324e86e..b5b55bded5 100644 --- a/wp-admin/network/sites.php +++ b/wp-admin/network/sites.php @@ -278,7 +278,9 @@ if ( isset( $_GET['action'] ) ) { $msg = ''; if ( isset( $_GET['updated'] ) ) { - switch ( $_GET['updated'] ) { + $action = $_GET['updated']; + + switch ( $action ) { case 'all_notspam': $msg = __( 'Sites removed from spam.' ); break; @@ -314,16 +316,16 @@ if ( isset( $_GET['updated'] ) ) { break; default: /** - * Filters a specific, non-default site-updated message in the Network admin. + * Filters a specific, non-default, site-updated message in the Network admin. * - * The dynamic portion of the hook name, `$_GET['updated']`, refers to the - * non-default site update action. + * The dynamic portion of the hook name, `$action`, refers to the non-default + * site update action. * * @since 3.1.0 * * @param string $msg The update message. Default 'Settings saved'. */ - $msg = apply_filters( 'network_sites_updated_message_' . $_GET['updated'], __( 'Settings saved.' ) ); + $msg = apply_filters( "network_sites_updated_message_{$action}", __( 'Settings saved.' ) ); break; } diff --git a/wp-includes/version.php b/wp-includes/version.php index 0db81ef269..c6772a48fe 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '5.0-alpha-42348'; +$wp_version = '5.0-alpha-42349'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.