diff --git a/wp-admin/admin-post.php b/wp-admin/admin-post.php index e71f5cd1e7..be32e0710a 100644 --- a/wp-admin/admin-post.php +++ b/wp-admin/admin-post.php @@ -29,7 +29,7 @@ nocache_headers(); /** This action is documented in wp-admin/admin.php */ do_action( 'admin_init' ); -$action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : ''; +$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : ''; // Reject invalid parameters. if ( ! is_scalar( $action ) ) { diff --git a/wp-admin/comment.php b/wp-admin/comment.php index 349a32a43e..e1058695a3 100644 --- a/wp-admin/comment.php +++ b/wp-admin/comment.php @@ -16,7 +16,8 @@ $submenu_file = 'edit-comments.php'; * @global string $action */ global $action; -wp_reset_vars( array( 'action' ) ); + +$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : ''; if ( isset( $_POST['deletecomment'] ) ) { $action = 'deletecomment'; diff --git a/wp-admin/customize.php b/wp-admin/customize.php index 2f0bc87b86..2a53480fee 100644 --- a/wp-admin/customize.php +++ b/wp-admin/customize.php @@ -84,8 +84,10 @@ if ( $wp_customize->changeset_post_id() ) { } } +$url = ! empty( $_REQUEST['url'] ) ? sanitize_text_field( $_REQUEST['url'] ) : ''; +$return = ! empty( $_REQUEST['return'] ) ? sanitize_text_field( $_REQUEST['return'] ) : ''; +$autofocus = ! empty( $_REQUEST['autofocus'] ) ? sanitize_text_field( $_REQUEST['autofocus'] ) : ''; -wp_reset_vars( array( 'url', 'return', 'autofocus' ) ); if ( ! empty( $url ) ) { $wp_customize->set_preview_url( wp_unslash( $url ) ); } diff --git a/wp-admin/edit-tag-form.php b/wp-admin/edit-tag-form.php index 8126f84556..ba2e187de4 100644 --- a/wp-admin/edit-tag-form.php +++ b/wp-admin/edit-tag-form.php @@ -44,11 +44,7 @@ if ( 'category' === $taxonomy ) { do_action_deprecated( 'edit_tag_form_pre', array( $tag ), '3.0.0', '{$taxonomy}_pre_edit_form' ); } -/** - * Use with caution, see https://developer.wordpress.org/reference/functions/wp_reset_vars/ - */ -wp_reset_vars( array( 'wp_http_referer' ) ); - +$wp_http_referer = ! empty( $_REQUEST['wp_http_referer'] ) ? sanitize_text_field( $_REQUEST['wp_http_referer'] ) : ''; $wp_http_referer = remove_query_arg( array( 'action', 'message', 'tag_ID' ), $wp_http_referer ); // Also used by Edit Tags. diff --git a/wp-admin/includes/class-wp-links-list-table.php b/wp-admin/includes/class-wp-links-list-table.php index 5159c1c273..66c4990d0f 100644 --- a/wp-admin/includes/class-wp-links-list-table.php +++ b/wp-admin/includes/class-wp-links-list-table.php @@ -50,7 +50,10 @@ class WP_Links_List_Table extends WP_List_Table { public function prepare_items() { global $cat_id, $s, $orderby, $order; - wp_reset_vars( array( 'action', 'cat_id', 'link_id', 'orderby', 'order', 's' ) ); + $cat_id = ! empty( $_REQUEST['cat_id'] ) ? absint( $_REQUEST['cat_id'] ) : 0; + $orderby = ! empty( $_REQUEST['orderby'] ) ? sanitize_text_field( $_REQUEST['orderby'] ) : ''; + $order = ! empty( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : ''; + $s = ! empty( $_REQUEST['s'] ) ? sanitize_text_field( $_REQUEST['s'] ) : ''; $args = array( 'hide_invisible' => 0, diff --git a/wp-admin/includes/class-wp-ms-themes-list-table.php b/wp-admin/includes/class-wp-ms-themes-list-table.php index cc0206eec0..96a1d99576 100644 --- a/wp-admin/includes/class-wp-ms-themes-list-table.php +++ b/wp-admin/includes/class-wp-ms-themes-list-table.php @@ -99,7 +99,9 @@ class WP_MS_Themes_List_Table extends WP_List_Table { public function prepare_items() { global $status, $totals, $page, $orderby, $order, $s; - wp_reset_vars( array( 'orderby', 'order', 's' ) ); + $orderby = ! empty( $_REQUEST['orderby'] ) ? sanitize_text_field( $_REQUEST['orderby'] ) : ''; + $order = ! empty( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : ''; + $s = ! empty( $_REQUEST['s'] ) ? sanitize_text_field( $_REQUEST['s'] ) : ''; $themes = array( /** diff --git a/wp-admin/includes/class-wp-plugin-install-list-table.php b/wp-admin/includes/class-wp-plugin-install-list-table.php index f3452a7d94..21922b7943 100644 --- a/wp-admin/includes/class-wp-plugin-install-list-table.php +++ b/wp-admin/includes/class-wp-plugin-install-list-table.php @@ -92,7 +92,7 @@ class WP_Plugin_Install_List_Table extends WP_List_Table { global $tabs, $tab, $paged, $type, $term; - wp_reset_vars( array( 'tab' ) ); + $tab = ! empty( $_REQUEST['tab'] ) ? sanitize_text_field( $_REQUEST['tab'] ) : ''; $paged = $this->get_pagenum(); diff --git a/wp-admin/includes/class-wp-plugins-list-table.php b/wp-admin/includes/class-wp-plugins-list-table.php index 4cc0132b6f..db3148193b 100644 --- a/wp-admin/includes/class-wp-plugins-list-table.php +++ b/wp-admin/includes/class-wp-plugins-list-table.php @@ -90,7 +90,8 @@ class WP_Plugins_List_Table extends WP_List_Table { public function prepare_items() { global $status, $plugins, $totals, $page, $orderby, $order, $s; - wp_reset_vars( array( 'orderby', 'order' ) ); + $orderby = ! empty( $_REQUEST['orderby'] ) ? sanitize_text_field( $_REQUEST['orderby'] ) : ''; + $order = ! empty( $_REQUEST['order'] ) ? sanitize_text_field( $_REQUEST['order'] ) : ''; /** * Filters the full array of plugins to list in the Plugins list table. diff --git a/wp-admin/includes/class-wp-theme-install-list-table.php b/wp-admin/includes/class-wp-theme-install-list-table.php index 945fb6e9ef..e273d4bc81 100644 --- a/wp-admin/includes/class-wp-theme-install-list-table.php +++ b/wp-admin/includes/class-wp-theme-install-list-table.php @@ -36,7 +36,8 @@ class WP_Theme_Install_List_Table extends WP_Themes_List_Table { require ABSPATH . 'wp-admin/includes/theme-install.php'; global $tabs, $tab, $paged, $type, $theme_field_defaults; - wp_reset_vars( array( 'tab' ) ); + + $tab = ! empty( $_REQUEST['tab'] ) ? sanitize_text_field( $_REQUEST['tab'] ) : ''; $search_terms = array(); $search_string = ''; diff --git a/wp-admin/includes/misc.php b/wp-admin/includes/misc.php index 7794183d6e..ffe3801ce8 100644 --- a/wp-admin/includes/misc.php +++ b/wp-admin/includes/misc.php @@ -575,7 +575,6 @@ function update_home_siteurl( $old_value, $value ) { } } - /** * Resets global variables based on $_GET and $_POST. * diff --git a/wp-admin/link-add.php b/wp-admin/link-add.php index d8c98bb5c7..57450f0a52 100644 --- a/wp-admin/link-add.php +++ b/wp-admin/link-add.php @@ -17,7 +17,9 @@ if ( ! current_user_can( 'manage_links' ) ) { $title = __( 'Add New Link' ); $parent_file = 'link-manager.php'; -wp_reset_vars( array( 'action', 'cat_id', 'link_id' ) ); +$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : ''; +$cat_id = ! empty( $_REQUEST['cat_id'] ) ? absint( $_REQUEST['cat_id'] ) : 0; +$link_id = ! empty( $_REQUEST['link_id'] ) ? absint( $_REQUEST['link_id'] ) : 0; wp_enqueue_script( 'link' ); wp_enqueue_script( 'xfn' ); diff --git a/wp-admin/link.php b/wp-admin/link.php index f07cc5897d..36a023a9c8 100644 --- a/wp-admin/link.php +++ b/wp-admin/link.php @@ -12,7 +12,9 @@ /** Load WordPress Administration Bootstrap */ require_once __DIR__ . '/admin.php'; -wp_reset_vars( array( 'action', 'cat_id', 'link_id' ) ); +$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : ''; +$cat_id = ! empty( $_REQUEST['cat_id'] ) ? absint( $_REQUEST['cat_id'] ) : 0; +$link_id = ! empty( $_REQUEST['link_id'] ) ? absint( $_REQUEST['link_id'] ) : 0; if ( ! current_user_can( 'manage_links' ) ) { wp_link_manager_disabled_message(); diff --git a/wp-admin/media.php b/wp-admin/media.php index 5b7ac353c6..ab8952f8c1 100644 --- a/wp-admin/media.php +++ b/wp-admin/media.php @@ -15,7 +15,7 @@ require_once __DIR__ . '/admin.php'; $parent_file = 'upload.php'; $submenu_file = 'upload.php'; -wp_reset_vars( array( 'action' ) ); +$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : ''; switch ( $action ) { case 'editattachment': diff --git a/wp-admin/options-head.php b/wp-admin/options-head.php index d96978b438..9dba3703c5 100644 --- a/wp-admin/options-head.php +++ b/wp-admin/options-head.php @@ -8,7 +8,7 @@ * @subpackage Administration */ -wp_reset_vars( array( 'action' ) ); +$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : ''; if ( isset( $_GET['updated'] ) && isset( $_GET['page'] ) ) { // For back-compat with plugins that don't use the Settings API and just set updated=1 in the redirect. diff --git a/wp-admin/options.php b/wp-admin/options.php index 33779a7492..eb3a4d0abb 100644 --- a/wp-admin/options.php +++ b/wp-admin/options.php @@ -23,7 +23,8 @@ $title = __( 'Settings' ); $this_file = 'options.php'; $parent_file = 'options-general.php'; -wp_reset_vars( array( 'action', 'option_page' ) ); +$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : ''; +$option_page = ! empty( $_REQUEST['option_page'] ) ? sanitize_text_field( $_REQUEST['option_page'] ) : ''; $capability = 'manage_options'; diff --git a/wp-admin/post.php b/wp-admin/post.php index 17875cb3e5..1230dda23d 100644 --- a/wp-admin/post.php +++ b/wp-admin/post.php @@ -14,7 +14,7 @@ require_once __DIR__ . '/admin.php'; $parent_file = 'edit.php'; $submenu_file = 'edit.php'; -wp_reset_vars( array( 'action' ) ); +$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : ''; if ( isset( $_GET['post'] ) && isset( $_POST['post_ID'] ) && (int) $_GET['post'] !== (int) $_POST['post_ID'] ) { wp_die( __( 'A post ID mismatch has been detected.' ), __( 'Sorry, you are not allowed to edit this item.' ), 400 ); diff --git a/wp-admin/revision.php b/wp-admin/revision.php index 72b8e74ae2..12ec2b6b1f 100644 --- a/wp-admin/revision.php +++ b/wp-admin/revision.php @@ -21,14 +21,16 @@ require ABSPATH . 'wp-admin/includes/revision.php'; * @global int $from The revision to compare from. * @global int $to Optional, required if revision missing. The revision to compare to. */ -wp_reset_vars( array( 'revision', 'action', 'from', 'to' ) ); -$revision_id = absint( $revision ); +$revision_id = ! empty( $_REQUEST['revision'] ) ? absint( $_REQUEST['revision'] ) : 0; +$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : ''; +$from = ! empty( $_REQUEST['from'] ) && is_numeric( $_REQUEST['from'] ) ? absint( $_REQUEST['from'] ) : null; +$to = ! empty( $_REQUEST['to'] ) && is_numeric( $_REQUEST['to'] ) ? absint( $_REQUEST['to'] ) : null; -$from = is_numeric( $from ) ? absint( $from ) : null; if ( ! $revision_id ) { - $revision_id = absint( $to ); + $revision_id = $to; } + $redirect = 'edit.php'; switch ( $action ) { diff --git a/wp-admin/site-health.php b/wp-admin/site-health.php index ededbf001b..0fd7fef07a 100644 --- a/wp-admin/site-health.php +++ b/wp-admin/site-health.php @@ -9,7 +9,7 @@ /** WordPress Administration Bootstrap */ require_once __DIR__ . '/admin.php'; -wp_reset_vars( array( 'action' ) ); +$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : ''; $tabs = array( /* translators: Tab heading for Site Health Status page. */ diff --git a/wp-admin/theme-editor.php b/wp-admin/theme-editor.php index dfbe69abb6..bf869f4d8a 100644 --- a/wp-admin/theme-editor.php +++ b/wp-admin/theme-editor.php @@ -56,7 +56,10 @@ get_current_screen()->set_help_sidebar( '

' . __( 'Support forums' ) . '

' ); -wp_reset_vars( array( 'action', 'error', 'file', 'theme' ) ); +$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : ''; +$theme = ! empty( $_REQUEST['theme'] ) ? sanitize_text_field( $_REQUEST['theme'] ) : ''; +$file = ! empty( $_REQUEST['file'] ) ? sanitize_text_field( $_REQUEST['file'] ) : ''; +$error = ! empty( $_REQUEST['error'] ); if ( $theme ) { $stylesheet = $theme; diff --git a/wp-admin/theme-install.php b/wp-admin/theme-install.php index 25212974d8..293d9a0cca 100644 --- a/wp-admin/theme-install.php +++ b/wp-admin/theme-install.php @@ -10,7 +10,7 @@ require_once __DIR__ . '/admin.php'; require ABSPATH . 'wp-admin/includes/theme-install.php'; -wp_reset_vars( array( 'tab' ) ); +$tab = ! empty( $_REQUEST['tab'] ) ? sanitize_text_field( $_REQUEST['tab'] ) : ''; if ( ! current_user_can( 'install_themes' ) ) { wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) ); diff --git a/wp-admin/themes.php b/wp-admin/themes.php index 31a2e26d64..4db4c5066c 100644 --- a/wp-admin/themes.php +++ b/wp-admin/themes.php @@ -215,7 +215,9 @@ if ( current_user_can( 'switch_themes' ) ) { } else { $themes = wp_prepare_themes_for_js( array( wp_get_theme() ) ); } -wp_reset_vars( array( 'theme', 'search' ) ); + +$theme = ! empty( $_REQUEST['theme'] ) ? sanitize_text_field( $_REQUEST['theme'] ) : ''; +$search = ! empty( $_REQUEST['search'] ) ? sanitize_text_field( $_REQUEST['search'] ) : ''; wp_localize_script( 'theme', diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php index bbb321a272..bbad60959c 100644 --- a/wp-admin/user-edit.php +++ b/wp-admin/user-edit.php @@ -12,9 +12,10 @@ require_once __DIR__ . '/admin.php'; /** WordPress Translation Installation API */ require_once ABSPATH . 'wp-admin/includes/translation-install.php'; -wp_reset_vars( array( 'action', 'user_id', 'wp_http_referer' ) ); +$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : ''; +$user_id = ! empty( $_REQUEST['user_id'] ) ? absint( $_REQUEST['user_id'] ) : 0; +$wp_http_referer = ! empty( $_REQUEST['wp_http_referer'] ) ? sanitize_text_field( $_REQUEST['wp_http_referer'] ) : ''; -$user_id = (int) $user_id; $current_user = wp_get_current_user(); if ( ! defined( 'IS_PROFILE_PAGE' ) ) { diff --git a/wp-includes/version.php b/wp-includes/version.php index b5e50a5d2e..37bf587401 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.6-alpha-58068'; +$wp_version = '6.6-alpha-58069'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.