diff --git a/src/wp-admin/includes/class-wp-plugins-list-table.php b/src/wp-admin/includes/class-wp-plugins-list-table.php index f49d1c8697..4e4c2266c8 100644 --- a/src/wp-admin/includes/class-wp-plugins-list-table.php +++ b/src/wp-admin/includes/class-wp-plugins-list-table.php @@ -560,16 +560,16 @@ class WP_Plugins_List_Table extends WP_List_Table { if ( $is_active ) { if ( current_user_can( 'manage_network_plugins' ) ) { /* translators: %s: plugin name */ - $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&plugin=' . $plugin_file . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( __( 'Network deactivate %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Deactivate' ) . '</a>'; + $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&plugin=' . urlencode( $plugin_file ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Network Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Deactivate' ) . '</a>'; } } else { if ( current_user_can( 'manage_network_plugins' ) ) { /* translators: %s: plugin name */ - $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&plugin=' . $plugin_file . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( __( 'Network Activate %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Activate' ) . '</a>'; + $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&plugin=' . urlencode( $plugin_file ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Network Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Network Activate' ) . '</a>'; } if ( current_user_can( 'delete_plugins' ) && ! is_plugin_active( $plugin_file ) ) { /* translators: %s: plugin name */ - $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&checked[]=' . $plugin_file . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( __( 'Delete %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>'; + $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&checked[]=' . urlencode( $plugin_file ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>'; } } } else { @@ -583,14 +583,14 @@ class WP_Plugins_List_Table extends WP_List_Table { ); } elseif ( $is_active ) { /* translators: %s: plugin name */ - $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&plugin=' . $plugin_file . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( __( 'Deactivate %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Deactivate' ) . '</a>'; + $actions['deactivate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=deactivate&plugin=' . urlencode( $plugin_file ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'deactivate-plugin_' . $plugin_file ) . '" aria-label="' . esc_attr( sprintf( _x( 'Deactivate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Deactivate' ) . '</a>'; } else { /* translators: %s: plugin name */ - $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&plugin=' . $plugin_file . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( __( 'Activate %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Activate' ) . '</a>'; + $actions['activate'] = '<a href="' . wp_nonce_url( 'plugins.php?action=activate&plugin=' . urlencode( $plugin_file ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'activate-plugin_' . $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( _x( 'Activate %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Activate' ) . '</a>'; if ( ! is_multisite() && current_user_can( 'delete_plugins' ) ) { /* translators: %s: plugin name */ - $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&checked[]=' . $plugin_file . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( __( 'Delete %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>'; + $actions['delete'] = '<a href="' . wp_nonce_url( 'plugins.php?action=delete-selected&checked[]=' . urlencode( $plugin_file ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'bulk-plugins' ) . '" class="delete" aria-label="' . esc_attr( sprintf( _x( 'Delete %s', 'plugin' ), $plugin_data['Name'] ) ) . '">' . __( 'Delete' ) . '</a>'; } } // end if $is_active @@ -598,7 +598,7 @@ class WP_Plugins_List_Table extends WP_List_Table { if ( ( ! is_multisite() || $screen->in_admin( 'network' ) ) && current_user_can( 'edit_plugins' ) && is_writable( WP_PLUGIN_DIR . '/' . $plugin_file ) ) { /* translators: %s: plugin name */ - $actions['edit'] = '<a href="plugin-editor.php?file=' . $plugin_file . '" class="edit" aria-label="' . esc_attr( sprintf( __( 'Edit %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Edit' ) . '</a>'; + $actions['edit'] = '<a href="plugin-editor.php?file=' . urlencode( $plugin_file ) . '" class="edit" aria-label="' . esc_attr( sprintf( __( 'Edit %s' ), $plugin_data['Name'] ) ) . '">' . __( 'Edit' ) . '</a>'; } } // end if $context diff --git a/src/wp-admin/includes/template.php b/src/wp-admin/includes/template.php index 5138fd204c..f57f249954 100644 --- a/src/wp-admin/includes/template.php +++ b/src/wp-admin/includes/template.php @@ -769,7 +769,7 @@ function page_template_dropdown( $default = '' ) { ksort( $templates ); foreach ( array_keys( $templates ) as $template ) { $selected = selected( $default, $templates[ $template ], false ); - echo "\n\t<option value='" . $templates[ $template ] . "' $selected>$template</option>"; + echo "\n\t<option value='" . esc_attr( $templates[ $template ] ) . "' $selected>" . esc_html( $template ) . "</option>"; } } diff --git a/src/wp-admin/plugin-editor.php b/src/wp-admin/plugin-editor.php index 1558164096..3a7cc25008 100644 --- a/src/wp-admin/plugin-editor.php +++ b/src/wp-admin/plugin-editor.php @@ -96,9 +96,9 @@ default: wp_die( $error ); if ( ( ! empty( $_GET['networkwide'] ) && ! is_plugin_active_for_network($file) ) || ! is_plugin_active($file) ) - activate_plugin($file, "plugin-editor.php?file=$file&phperror=1", ! empty( $_GET['networkwide'] ) ); // we'll override this later if the plugin can be included without fatal error + activate_plugin($file, "plugin-editor.php?file=" . urlencode( $file ) . "&phperror=1", ! empty( $_GET['networkwide'] ) ); // we'll override this later if the plugin can be included without fatal error - wp_redirect( self_admin_url("plugin-editor.php?file=$file&a=te&scrollto=$scrollto") ); + wp_redirect( self_admin_url("plugin-editor.php?file=" . urlencode( $file ) . "&a=te&scrollto=$scrollto") ); exit; } @@ -191,18 +191,18 @@ default: if ( is_plugin_active( $plugin ) ) { if ( is_writeable( $real_file ) ) { /* translators: %s: plugin file name */ - echo sprintf( __( 'Editing %s (active)' ), '<strong>' . $file . '</strong>' ); + echo sprintf( __( 'Editing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' ); } else { /* translators: %s: plugin file name */ - echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . $file . '</strong>' ); + echo sprintf( __( 'Browsing %s (active)' ), '<strong>' . esc_html( $file ) . '</strong>' ); } } else { if ( is_writeable( $real_file ) ) { /* translators: %s: plugin file name */ - echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . $file . '</strong>' ); + echo sprintf( __( 'Editing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' ); } else { /* translators: %s: plugin file name */ - echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . $file . '</strong>' ); + echo sprintf( __( 'Browsing %s (inactive)' ), '<strong>' . esc_html( $file ) . '</strong>' ); } } ?></big> @@ -247,7 +247,7 @@ foreach ( $plugin_files as $plugin_file ) : continue; } ?> - <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&plugin=<?php echo urlencode( $plugin ) ?>"><?php echo $plugin_file ?></a></li> + <li<?php echo $file == $plugin_file ? ' class="highlight"' : ''; ?>><a href="plugin-editor.php?file=<?php echo urlencode( $plugin_file ) ?>&plugin=<?php echo urlencode( $plugin ) ?>"><?php echo esc_html( $plugin_file ); ?></a></li> <?php endforeach; ?> </ul> </div> diff --git a/src/wp-admin/plugins.php b/src/wp-admin/plugins.php index fde886e46d..fd9f6429c3 100644 --- a/src/wp-admin/plugins.php +++ b/src/wp-admin/plugins.php @@ -17,7 +17,7 @@ $pagenum = $wp_list_table->get_pagenum(); $action = $wp_list_table->current_action(); -$plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : ''; +$plugin = isset($_REQUEST['plugin']) ? wp_unslash( $_REQUEST['plugin'] ) : ''; $s = isset($_REQUEST['s']) ? urlencode( wp_unslash( $_REQUEST['s'] ) ) : ''; // Clean up request URI from temporary args for screen options/paging uri's to work as expected. @@ -39,10 +39,10 @@ if ( $action ) { check_admin_referer('activate-plugin_' . $plugin); - $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . $plugin), is_network_admin() ); + $result = activate_plugin($plugin, self_admin_url('plugins.php?error=true&plugin=' . urlencode( $plugin ) ), is_network_admin() ); if ( is_wp_error( $result ) ) { if ( 'unexpected_output' == $result->get_error_code() ) { - $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . $plugin . "&plugin_status=$status&paged=$page&s=$s"); + $redirect = self_admin_url('plugins.php?error=true&charsout=' . strlen($result->get_error_data()) . '&plugin=' . urlencode( $plugin ) . "&plugin_status=$status&paged=$page&s=$s"); wp_redirect(add_query_arg('_error_nonce', wp_create_nonce('plugin-activation-error_' . $plugin), $redirect)); exit; } else { @@ -73,7 +73,7 @@ if ( $action ) { check_admin_referer('bulk-plugins'); - $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array(); + $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array(); if ( is_network_admin() ) { foreach ( $plugins as $i => $plugin ) { @@ -122,9 +122,9 @@ if ( $action ) { check_admin_referer( 'bulk-plugins' ); if ( isset( $_GET['plugins'] ) ) - $plugins = explode( ',', $_GET['plugins'] ); + $plugins = explode( ',', wp_unslash( $_GET['plugins'] ) ); elseif ( isset( $_POST['checked'] ) ) - $plugins = (array) $_POST['checked']; + $plugins = (array) wp_unslash( $_POST['checked'] ); else $plugins = array(); @@ -197,7 +197,7 @@ if ( $action ) { check_admin_referer('bulk-plugins'); - $plugins = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array(); + $plugins = isset( $_POST['checked'] ) ? (array) wp_unslash( $_POST['checked'] ) : array(); // Do not deactivate plugins which are already deactivated. if ( is_network_admin() ) { $plugins = array_filter( $plugins, 'is_plugin_active_for_network' ); @@ -234,7 +234,7 @@ if ( $action ) { check_admin_referer('bulk-plugins'); //$_POST = from the plugin form; $_GET = from the FTP details screen. - $plugins = isset( $_REQUEST['checked'] ) ? (array) $_REQUEST['checked'] : array(); + $plugins = isset( $_REQUEST['checked'] ) ? (array) wp_unslash( $_REQUEST['checked'] ) : array(); if ( empty( $plugins ) ) { wp_redirect( self_admin_url("plugins.php?plugin_status=$status&paged=$page&s=$s") ); exit; diff --git a/src/wp-admin/theme-editor.php b/src/wp-admin/theme-editor.php index 6fae2b7535..53be4bc555 100644 --- a/src/wp-admin/theme-editor.php +++ b/src/wp-admin/theme-editor.php @@ -99,7 +99,7 @@ if ( empty( $file ) ) { $relative_file = 'style.css'; $file = $allowed_files['style.css']; } else { - $relative_file = $file; + $relative_file = wp_unslash( $file ); $file = $theme->get_stylesheet_directory() . '/' . $relative_file; } @@ -156,10 +156,12 @@ default: <div id="message" class="updated notice is-dismissible"><p><?php _e( 'File edited successfully.' ) ?></p></div> <?php endif; -$description = get_file_description( $relative_file ); +$file_description = get_file_description( $relative_file ); $file_show = array_search( $file, array_filter( $allowed_files ) ); -if ( $description != $file_show ) - $description .= ' <span>(' . $file_show . ')</span>'; +$description = esc_html( $file_description ); +if ( $file_description != $file_show ) { + $description .= ' <span>(' . esc_html( $file_show ) . ')</span>'; +} ?> <div class="wrap"> <h1><?php echo esc_html( $title ); ?></h1> @@ -230,9 +232,9 @@ if ( $allowed_files ) : echo "\t<ul>\n"; } - $file_description = get_file_description( $filename ); + $file_description = esc_html( get_file_description( $filename ) ); if ( $filename !== basename( $absolute_filename ) || $file_description !== $filename ) { - $file_description .= '<br /><span class="nonessential">(' . $filename . ')</span>'; + $file_description .= '<br /><span class="nonessential">(' . esc_html( $filename ) . ')</span>'; } if ( $absolute_filename === $file ) {