Always URL-encode a stylesheet directory value before using it in a URL. These situations are saved by wp_nonce_url(), but we should not depend on that. see #21749, for trunk only.
git-svn-id: http://core.svn.wordpress.org/trunk@21755 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
d476c22aa1
commit
fb36abe6b7
|
@ -277,27 +277,28 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
|
||||||
'delete' => ''
|
'delete' => ''
|
||||||
);
|
);
|
||||||
|
|
||||||
$theme_key = $theme->get_stylesheet();
|
$stylesheet = $theme->get_stylesheet();
|
||||||
|
$theme_key = urlencode( $stylesheet );
|
||||||
|
|
||||||
if ( ! $allowed ) {
|
if ( ! $allowed ) {
|
||||||
if ( ! $theme->errors() )
|
if ( ! $theme->errors() )
|
||||||
$actions['enable'] = '<a href="' . esc_url( wp_nonce_url($url . 'action=enable&theme=' . $theme_key . '&paged=' . $page . '&s=' . $s, 'enable-theme_' . $theme_key) ) . '" title="' . esc_attr__('Enable this theme') . '" class="edit">' . ( $this->is_site_themes ? __( 'Enable' ) : __( 'Network Enable' ) ) . '</a>';
|
$actions['enable'] = '<a href="' . esc_url( wp_nonce_url($url . 'action=enable&theme=' . $theme_key . '&paged=' . $page . '&s=' . $s, 'enable-theme_' . $stylesheet ) ) . '" title="' . esc_attr__('Enable this theme') . '" class="edit">' . ( $this->is_site_themes ? __( 'Enable' ) : __( 'Network Enable' ) ) . '</a>';
|
||||||
} else {
|
} else {
|
||||||
$actions['disable'] = '<a href="' . esc_url( wp_nonce_url($url . 'action=disable&theme=' . $theme_key . '&paged=' . $page . '&s=' . $s, 'disable-theme_' . $theme_key) ) . '" title="' . esc_attr__('Disable this theme') . '">' . ( $this->is_site_themes ? __( 'Disable' ) : __( 'Network Disable' ) ) . '</a>';
|
$actions['disable'] = '<a href="' . esc_url( wp_nonce_url($url . 'action=disable&theme=' . $theme_key . '&paged=' . $page . '&s=' . $s, 'disable-theme_' . $stylesheet ) ) . '" title="' . esc_attr__('Disable this theme') . '">' . ( $this->is_site_themes ? __( 'Disable' ) : __( 'Network Disable' ) ) . '</a>';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( current_user_can('edit_themes') )
|
if ( current_user_can('edit_themes') )
|
||||||
$actions['edit'] = '<a href="' . esc_url('theme-editor.php?theme=' . urlencode( $theme_key ) ) . '" title="' . esc_attr__('Open this theme in the Theme Editor') . '" class="edit">' . __('Edit') . '</a>';
|
$actions['edit'] = '<a href="' . esc_url('theme-editor.php?theme=' . $theme_key ) . '" title="' . esc_attr__('Open this theme in the Theme Editor') . '" class="edit">' . __('Edit') . '</a>';
|
||||||
|
|
||||||
if ( ! $allowed && current_user_can( 'delete_themes' ) && ! $this->is_site_themes && $theme_key != get_option( 'stylesheet' ) && $theme_key != get_option( 'template' ) )
|
if ( ! $allowed && current_user_can( 'delete_themes' ) && ! $this->is_site_themes && $stylesheet != get_option( 'stylesheet' ) && $stylesheet != get_option( 'template' ) )
|
||||||
$actions['delete'] = '<a href="' . esc_url( wp_nonce_url( 'themes.php?action=delete-selected&checked[]=' . $theme_key . '&theme_status=' . $context . '&paged=' . $page . '&s=' . $s, 'bulk-themes' ) ) . '" title="' . esc_attr__( 'Delete this theme' ) . '" class="delete">' . __( 'Delete' ) . '</a>';
|
$actions['delete'] = '<a href="' . esc_url( wp_nonce_url( 'themes.php?action=delete-selected&checked[]=' . $theme_key . '&theme_status=' . $context . '&paged=' . $page . '&s=' . $s, 'bulk-themes' ) ) . '" title="' . esc_attr__( 'Delete this theme' ) . '" class="delete">' . __( 'Delete' ) . '</a>';
|
||||||
|
|
||||||
$actions = apply_filters( 'theme_action_links', array_filter( $actions ), $theme_key, $theme, $context );
|
$actions = apply_filters( 'theme_action_links', array_filter( $actions ), $stylesheet, $theme, $context );
|
||||||
$actions = apply_filters( "theme_action_links_$theme_key", $actions, $theme_key, $theme, $context );
|
$actions = apply_filters( "theme_action_links_$stylesheet", $actions, $stylesheet, $theme, $context );
|
||||||
|
|
||||||
$class = ! $allowed ? 'inactive' : 'active';
|
$class = ! $allowed ? 'inactive' : 'active';
|
||||||
$checkbox_id = "checkbox_" . md5( $theme->get('Name') );
|
$checkbox_id = "checkbox_" . md5( $theme->get('Name') );
|
||||||
$checkbox = "<input type='checkbox' name='checked[]' value='" . esc_attr( $theme_key ) . "' id='" . $checkbox_id . "' /><label class='screen-reader-text' for='" . $checkbox_id . "' >" . __('Select') . " " . $theme->display('Name') . "</label>";
|
$checkbox = "<input type='checkbox' name='checked[]' value='" . esc_attr( $stylesheet ) . "' id='" . $checkbox_id . "' /><label class='screen-reader-text' for='" . $checkbox_id . "' >" . __('Select') . " " . $theme->display('Name') . "</label>";
|
||||||
|
|
||||||
$id = sanitize_html_class( $theme->get_stylesheet() );
|
$id = sanitize_html_class( $theme->get_stylesheet() );
|
||||||
|
|
||||||
|
@ -341,7 +342,7 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
|
||||||
if ( $theme->get('ThemeURI') )
|
if ( $theme->get('ThemeURI') )
|
||||||
$theme_meta[] = '<a href="' . $theme->display('ThemeURI') . '" title="' . esc_attr__( 'Visit theme homepage' ) . '">' . __( 'Visit Theme Site' ) . '</a>';
|
$theme_meta[] = '<a href="' . $theme->display('ThemeURI') . '" title="' . esc_attr__( 'Visit theme homepage' ) . '">' . __( 'Visit Theme Site' ) . '</a>';
|
||||||
|
|
||||||
$theme_meta = apply_filters( 'theme_row_meta', $theme_meta, $theme_key, $theme, $status );
|
$theme_meta = apply_filters( 'theme_row_meta', $theme_meta, $stylesheet, $theme, $status );
|
||||||
echo implode( ' | ', $theme_meta );
|
echo implode( ' | ', $theme_meta );
|
||||||
|
|
||||||
echo "</div></td>";
|
echo "</div></td>";
|
||||||
|
@ -349,7 +350,7 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
|
||||||
|
|
||||||
default:
|
default:
|
||||||
echo "<td class='$column_name column-$column_name'$style>";
|
echo "<td class='$column_name column-$column_name'$style>";
|
||||||
do_action( 'manage_themes_custom_column', $column_name, $theme_key, $theme );
|
do_action( 'manage_themes_custom_column', $column_name, $stylesheet, $theme );
|
||||||
echo "</td>";
|
echo "</td>";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -357,8 +358,8 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
|
||||||
echo "</tr>";
|
echo "</tr>";
|
||||||
|
|
||||||
if ( $this->is_site_themes )
|
if ( $this->is_site_themes )
|
||||||
remove_action( "after_theme_row_$theme_key", 'wp_theme_update_row' );
|
remove_action( "after_theme_row_$stylesheet", 'wp_theme_update_row' );
|
||||||
do_action( 'after_theme_row', $theme_key, $theme, $status );
|
do_action( 'after_theme_row', $stylesheet, $theme, $status );
|
||||||
do_action( "after_theme_row_$theme_key", $theme_key, $theme, $status );
|
do_action( "after_theme_row_$stylesheet", $stylesheet, $theme, $status );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -143,7 +143,7 @@ class WP_Themes_List_Table extends WP_List_Table {
|
||||||
. __( 'Live Preview' ) . '</a>';
|
. __( 'Live Preview' ) . '</a>';
|
||||||
|
|
||||||
if ( ! is_multisite() && current_user_can( 'delete_themes' ) )
|
if ( ! is_multisite() && current_user_can( 'delete_themes' ) )
|
||||||
$actions['delete'] = '<a class="submitdelete deletion" href="' . wp_nonce_url( "themes.php?action=delete&stylesheet=$stylesheet", 'delete-theme_' . $stylesheet )
|
$actions['delete'] = '<a class="submitdelete deletion" href="' . wp_nonce_url( 'themes.php?action=delete&stylesheet=' . urlencode( $stylesheet ), 'delete-theme_' . $stylesheet )
|
||||||
. '" onclick="' . "return confirm( '" . esc_js( sprintf( __( "You are about to delete this theme '%s'\n 'Cancel' to stop, 'OK' to delete." ), $title ) )
|
. '" onclick="' . "return confirm( '" . esc_js( sprintf( __( "You are about to delete this theme '%s'\n 'Cancel' to stop, 'OK' to delete." ), $title ) )
|
||||||
. "' );" . '">' . __( 'Delete' ) . '</a>';
|
. "' );" . '">' . __( 'Delete' ) . '</a>';
|
||||||
|
|
||||||
|
|
|
@ -1502,7 +1502,7 @@ class Theme_Installer_Skin extends WP_Upgrader_Skin {
|
||||||
'preview' => 1,
|
'preview' => 1,
|
||||||
'template' => urlencode( $template ),
|
'template' => urlencode( $template ),
|
||||||
'stylesheet' => urlencode( $stylesheet ),
|
'stylesheet' => urlencode( $stylesheet ),
|
||||||
), trailingslashit( get_home_url() ) );
|
), trailingslashit( home_url() ) );
|
||||||
|
|
||||||
$activate_link = add_query_arg( array(
|
$activate_link = add_query_arg( array(
|
||||||
'action' => 'activate',
|
'action' => 'activate',
|
||||||
|
@ -1517,7 +1517,7 @@ class Theme_Installer_Skin extends WP_Upgrader_Skin {
|
||||||
$install_actions['activate'] = '<a href="' . esc_url( $activate_link ) . '" class="activatelink" title="' . esc_attr( sprintf( __('Activate “%s”'), $name ) ) . '">' . __('Activate') . '</a>';
|
$install_actions['activate'] = '<a href="' . esc_url( $activate_link ) . '" class="activatelink" title="' . esc_attr( sprintf( __('Activate “%s”'), $name ) ) . '">' . __('Activate') . '</a>';
|
||||||
|
|
||||||
if ( is_network_admin() && current_user_can( 'manage_network_themes' ) )
|
if ( is_network_admin() && current_user_can( 'manage_network_themes' ) )
|
||||||
$install_actions['network_enable'] = '<a href="' . esc_url( wp_nonce_url( 'themes.php?action=enable&theme=' . $stylesheet, 'enable-theme_' . $stylesheet ) ) . '" title="' . esc_attr__( 'Enable this theme for all sites in this network' ) . '" target="_parent">' . __( 'Network Enable' ) . '</a>';
|
$install_actions['network_enable'] = '<a href="' . esc_url( wp_nonce_url( 'themes.php?action=enable&theme=' . urlencode( $stylesheet ), 'enable-theme_' . $stylesheet ) ) . '" title="' . esc_attr__( 'Enable this theme for all sites in this network' ) . '" target="_parent">' . __( 'Network Enable' ) . '</a>';
|
||||||
|
|
||||||
if ( $this->type == 'web' )
|
if ( $this->type == 'web' )
|
||||||
$install_actions['themes_page'] = '<a href="' . self_admin_url('theme-install.php') . '" title="' . esc_attr__('Return to Theme Installer') . '" target="_parent">' . __('Return to Theme Installer') . '</a>';
|
$install_actions['themes_page'] = '<a href="' . self_admin_url('theme-install.php') . '" title="' . esc_attr__('Return to Theme Installer') . '" target="_parent">' . __('Return to Theme Installer') . '</a>';
|
||||||
|
@ -1566,7 +1566,7 @@ class Theme_Upgrader_Skin extends WP_Upgrader_Skin {
|
||||||
'preview' => 1,
|
'preview' => 1,
|
||||||
'template' => urlencode( $template ),
|
'template' => urlencode( $template ),
|
||||||
'stylesheet' => urlencode( $stylesheet ),
|
'stylesheet' => urlencode( $stylesheet ),
|
||||||
), trailingslashit( get_home_url() ) );
|
), trailingslashit( home_url() ) );
|
||||||
|
|
||||||
$activate_link = add_query_arg( array(
|
$activate_link = add_query_arg( array(
|
||||||
'action' => 'activate',
|
'action' => 'activate',
|
||||||
|
|
|
@ -23,7 +23,7 @@ function delete_theme($stylesheet, $redirect = '') {
|
||||||
|
|
||||||
ob_start();
|
ob_start();
|
||||||
if ( empty( $redirect ) )
|
if ( empty( $redirect ) )
|
||||||
$redirect = wp_nonce_url('themes.php?action=delete&stylesheet=' . $stylesheet, 'delete-theme_' . $stylesheet);
|
$redirect = wp_nonce_url('themes.php?action=delete&stylesheet=' . urlencode( $stylesheet ), 'delete-theme_' . $stylesheet);
|
||||||
if ( false === ($credentials = request_filesystem_credentials($redirect)) ) {
|
if ( false === ($credentials = request_filesystem_credentials($redirect)) ) {
|
||||||
$data = ob_get_contents();
|
$data = ob_get_contents();
|
||||||
ob_end_clean();
|
ob_end_clean();
|
||||||
|
|
|
@ -46,7 +46,7 @@ get_current_screen()->set_help_sidebar(
|
||||||
wp_reset_vars( array( 'action', 'error', 'file', 'theme' ) );
|
wp_reset_vars( array( 'action', 'error', 'file', 'theme' ) );
|
||||||
|
|
||||||
if ( $theme )
|
if ( $theme )
|
||||||
$stylesheet = urldecode( $theme );
|
$stylesheet = $theme;
|
||||||
else
|
else
|
||||||
$stylesheet = get_stylesheet();
|
$stylesheet = get_stylesheet();
|
||||||
|
|
||||||
|
@ -68,7 +68,7 @@ if ( empty( $file ) ) {
|
||||||
$relative_file = 'style.css';
|
$relative_file = 'style.css';
|
||||||
$file = $allowed_files['style.css'];
|
$file = $allowed_files['style.css'];
|
||||||
} else {
|
} else {
|
||||||
$relative_file = urldecode( stripslashes( $file ) );
|
$relative_file = stripslashes( $file );
|
||||||
$file = $theme->get_stylesheet_directory() . '/' . $relative_file;
|
$file = $theme->get_stylesheet_directory() . '/' . $relative_file;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue