Changeset 62001

Timestamp:

03/13/2026 12:29:20 PM (7 hours ago)

Author:

johnbillion

Message:

Grouped backports for the 5.2 branch.

• XML-RPC: Switch to wp_safe_remote() when fetching a pingback URL.
• HTML API: Prevent WP_HTML_Tag_Processor instances being unserialized and add some extra logic for validating pattern and template file paths.
• KSES: Optimize PCRE pattern detecting numeric character references.
• Customize: Improve escaping approach used for nav menu attributes.
• Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
• Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
• Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.

Merges [61879-61884,61886-61887,61890,61913] to the 5.2 branch.

Props johnbillion, xknown, dmsnell, jorbin, peterwilson, desrosj, westonruter, jonsurrell, aurdasjb.

Location:

branches/5.2

Files:

• . (modified) (1 prop)
• src/js/_enqueues/wp/util.js (modified) (1 diff)
• src/wp-admin/includes/class-walker-nav-menu-checklist.php (modified) (1 diff)
• src/wp-admin/includes/class-walker-nav-menu-edit.php (modified) (4 diffs)
• src/wp-admin/includes/file.php (modified) (1 diff)
• src/wp-includes/ID3/getid3.lib.php (modified) (2 diffs)
• src/wp-includes/class-wp-http-ixr-client.php (modified) (1 diff)
• src/wp-includes/kses.php (modified) (1 diff)
• src/wp-includes/media.php (modified) (2 diffs)
• src/wp-includes/nav-menu.php (modified) (1 diff)
• src/wp-includes/template-loader.php (modified) (1 diff)
• tests/phpunit/tests/post/nav-menu.php (modified) (1 diff)

branches/5.2/src/js/_enqueues/wp/util.js

@@ -37 +37 @@
 
         return function ( data ) {
-            compiled = compiled || _.template( $( '#tmpl-' + id ).html(),  options );
+            var el = document.querySelector( 'script#tmpl-' + id );
+            if ( ! el ) {
+                throw new Error( 'Template not found: ' + '#tmpl-' + id );
+            }
+            compiled = compiled || _.template( $( el ).html(), options );
             return compiled( data );
         };

branches/5.2/src/wp-admin/includes/class-walker-nav-menu-checklist.php

@@ -109 +109 @@
         $output .= '<input type="hidden" class="menu-item-parent-id" name="menu-item[' . $possible_object_id . '][menu-item-parent-id]" value="' . esc_attr( $item->menu_item_parent ) . '" />';
         $output .= '<input type="hidden" class="menu-item-type" name="menu-item[' . $possible_object_id . '][menu-item-type]" value="' . esc_attr( $item->type ) . '" />';
-        $output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . esc_attr( $item->title ) . '" />';
+        $output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . htmlspecialchars( $item->title, ENT_QUOTES ) . '" />';
         $output .= '<input type="hidden" class="menu-item-url" name="menu-item[' . $possible_object_id . '][menu-item-url]" value="' . esc_attr( $item->url ) . '" />';
         $output .= '<input type="hidden" class="menu-item-target" name="menu-item[' . $possible_object_id . '][menu-item-target]" value="' . esc_attr( $item->target ) . '" />';
-        $output .= '<input type="hidden" class="menu-item-attr_title" name="menu-item[' . $possible_object_id . '][menu-item-attr_title]" value="' . esc_attr( $item->attr_title ) . '" />';
-        $output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . esc_attr( implode( ' ', $item->classes ) ) . '" />';
-        $output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . esc_attr( $item->xfn ) . '" />';
+        $output .= '<input type="hidden" class="menu-item-attr_title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . htmlspecialchars( $item->attr_title, ENT_QUOTES ) . '" />';
+        $output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . htmlspecialchars( implode( ' ', $item->classes ), ENT_QUOTES ) . '" />';
+        $output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . htmlspecialchars( $item->xfn, ENT_QUOTES ) . '" />';
     }
 

branches/5.2/src/wp-admin/includes/class-walker-nav-menu-edit.php

@@ -171 +171 @@
                     <label for="edit-menu-item-title-<?php echo $item_id; ?>">
                         <?php _e( 'Navigation Label' ); ?><br />
-                        <input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->title ); ?>" />
+                        <input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->title, ENT_QUOTES ); ?>" />
                     </label>
                 </p>
@@ -177 +177 @@
                     <label for="edit-menu-item-attr-title-<?php echo $item_id; ?>">
                         <?php _e( 'Title Attribute' ); ?><br />
-                        <input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->post_excerpt ); ?>" />
+                        <input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->post_excerpt, ENT_QUOTES ); ?>" />
                     </label>
                 </p>
@@ -189 +189 @@
                     <label for="edit-menu-item-classes-<?php echo $item_id; ?>">
                         <?php _e( 'CSS Classes (optional)' ); ?><br />
-                        <input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo esc_attr( implode( ' ', $item->classes ) ); ?>" />
+                        <input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( implode( ' ', $item->classes ), ENT_QUOTES ); ?>" />
                     </label>
                 </p>
@@ -195 +195 @@
                     <label for="edit-menu-item-xfn-<?php echo $item_id; ?>">
                         <?php _e( 'Link Relationship (XFN)' ); ?><br />
-                        <input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->xfn ); ?>" />
+                        <input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->xfn, ENT_QUOTES ); ?>" />
                     </label>
                 </p>

branches/5.2/src/wp-admin/includes/file.php

@@ -1577 +1577 @@
         }
 
+        // Don't extract invalid files:
+        if ( 0 !== validate_file( $file['filename'] ) ) {
+            continue;
+        }
+
         $uncompressed_size += $file['size'];
 

branches/5.2/src/wp-includes/ID3/getid3.lib.php

@@ -536 +536 @@
     }
 
-    /**
-     * Converts an XML string to an array, using SimpleXML if available
-     */
     public static function XML2array($XMLstring) {
         if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) {
@@ -544 +541 @@
             // https://core.trac.wordpress.org/changeset/29378
             $loader = libxml_disable_entity_loader(true);
-            $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT);
+            $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', 0);
             $return = self::SimpleXMLelement2array($XMLobject);
             libxml_disable_entity_loader($loader);

branches/5.2/src/wp-includes/class-wp-http-ixr-client.php

@@ -86 +86 @@
         }
 
-        $response = wp_remote_post( $url, $args );
+        $response = wp_safe_remote_post( $url, $args );
 
         if ( is_wp_error( $response ) ) {

branches/5.2/src/wp-includes/kses.php

@@ -1728 +1728 @@
     $string = str_replace( '&', '&', $string );
 
-    // Change back the allowed entities in our entity whitelist
     $string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string );
-    $string = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string );
-    $string = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string );
+    $string = preg_replace_callback( '/&#(0*[1-9][0-9]{0,6});/', 'wp_kses_normalize_entities2', $string );
+    $string = preg_replace_callback( '/&#[Xx](0*[1-9A-Fa-f][0-9A-Fa-f]{0,5});/', 'wp_kses_normalize_entities3', $string );
 
     return $string;

branches/5.2/src/wp-includes/media.php

@@ -3277 +3277 @@
     }
 
-    if ( $post_parent ) {
+    if ( $post_parent && current_user_can( 'read_post', $attachment->post_parent ) ) {
         $parent_type = get_post_type_object( $post_parent->post_type );
 
@@ -3284 +3284 @@
         }
 
-        if ( $parent_type && current_user_can( 'read_post', $attachment->post_parent ) ) {
+        if ( $parent_type ) {
             $response['uploadedToTitle'] = $post_parent->post_title ? $post_parent->post_title : __( '(no title)' );
         }

branches/5.2/src/wp-includes/nav-menu.php

@@ -485 +485 @@
         }
 
-        if ( $args['menu-item-title'] == $original_title ) {
+        if ( wp_unslash( $args['menu-item-title'] ) === $original_title ) {
             $args['menu-item-title'] = '';
         }

branches/5.2/src/wp-includes/template-loader.php

@@ -75 +75 @@
      * @param string $template The path of the template to include.
      */
-    if ( $template = apply_filters( 'template_include', $template ) ) {
-        include( $template );
+    $template   = apply_filters( 'template_include', $template );
+    $is_stringy = is_string( $template ) || ( is_object( $template ) && method_exists( $template, '__toString' ) );
+    $template   = $is_stringy ? realpath( (string) $template ) : null;
+    if (
+        is_string( $template ) &&
+        ( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) &&
+        is_file( $template ) &&
+        is_readable( $template )
+    ) {
+        include $template;
     } elseif ( current_user_can( 'switch_themes' ) ) {
         $theme = wp_get_theme();

branches/5.2/tests/phpunit/tests/post/nav-menu.php

@@ -957 +957 @@
     }
 
+    /**
+     * Tests `wp_update_nav_menu_item()` with special characters in a category name.
+     *
+     * When inserting a category as a nav item, the `post_title` property should
+     * be empty, as the item should get the title from the category object itself.
+     *
+     * @ticket 48011
+     */
+    function test_wp_update_nav_menu_item_with_special_characters_in_category_name() {
+        $category_name = 'Test Cat - \"Pre-Slashed\" Cat Name & >';
+
+        $category = self::factory()->category->create_and_get(
+            array(
+                'name' => $category_name,
+            )
+        );
+
+        $this->assertSame( 'Test Cat - "Pre-Slashed" Cat Name & >', $category->name );
+
+        $category_item_id = wp_update_nav_menu_item(
+            $this->menu_id,
+            0,
+            array(
+                'menu-item-type'      => 'taxonomy',
+                'menu-item-object'    => 'category',
+                'menu-item-object-id' => $category->term_id,
+                'menu-item-status'    => 'publish',
+                'menu-item-title'     => $category->name,
+            )
+        );
+
+        $category_item = get_post( $category_item_id );
+        $this->assertEmpty( $category_item->post_title );
+    }
 }