mirror_php/wordpress
1
0
Fork 0
mirror of git://develop.git.wordpress.org/ synced 2025-03-24 05:49:49 +01:00
Code Issues Actions 11 Packages Projects Releases Wiki Activity

Customize: Properly escape URLs passed by url and return parameters.

Browse Source 
This changeset replaces `sanitize_text_field()` with `esc_url_raw()` for URLs passed via `url` and `return` query vars. This fixes an issue where the URL `example.com/หน้าภาษาไทย` would incorrectly return `example.com//` due to improper sanitization when clicking on the Customize button through the admin bar.

Props okvee, yahaly, hellofromTonya, veryard, dilip2615, amin7, swissspidy, audrasjb.
Fixes #61317.



git-svn-id: https://develop.svn.wordpress.org/trunk@59945 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Jb Audras 2025-03-06 14:59:34 +00:00
parent c7e01a4827
commit a68196ee03
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/wp-admin/customize.php
View File

@ -84,8 +84,8 @@ if ( $wp_customize->changeset_post_id() ) {
}
}
$url = ! empty( $_REQUEST['url'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['url'] ) ) : '';
$return = ! empty( $_REQUEST['return'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['return'] ) ) : '';
$url = ! empty( $_REQUEST['url'] ) ? esc_url_raw( wp_unslash( $_REQUEST['url'] ) ) : '';
$return = ! empty( $_REQUEST['return'] ) ? esc_url_raw( wp_unslash( $_REQUEST['return'] ) ) : '';
$autofocus = ! empty( $_REQUEST['autofocus'] ) && is_array( $_REQUEST['autofocus'] )
? array_map( 'sanitize_text_field', wp_unslash( $_REQUEST['autofocus'] ) )
: array();