close
WordPress.org
Get WordPress

Make WordPress Core

Changeset 62004


Ignore:
Timestamp:
03/13/2026 12:57:21 PM (6 hours ago)
Author:
johnbillion
Message:

Grouped backports for the 4.9 branch.

  • XML-RPC: Switch to wp_safe_remote() when fetching a pingback URL.
  • HTML API: Prevent WP_HTML_Tag_Processor instances being unserialized and add some extra logic for validating pattern and template file paths.
  • KSES: Optimize PCRE pattern detecting numeric character references.
  • Customize: Improve escaping approach used for nav menu attributes.
  • Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
  • Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
  • Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.

Merges [61879-61884,61886-61887,61890,61913] to the 4.9 branch.

Props johnbillion, xknown, dmsnell, jorbin, peterwilson, desrosj, westonruter, jonsurrell, audrasjb.

Location:
branches/4.9
Files:
11 edited

Legend:

Unmodified
Added
Removed

  • branches/4.9

  • branches/4.9/src/wp-admin/includes/class-walker-nav-menu-checklist.php

    r41688 r62004  
    104104        // Menu item hidden fields
    105105        $output .= '<input type="hidden" class="menu-item-db-id" name="menu-item[' . $possible_object_id . '][menu-item-db-id]" value="' . $possible_db_id . '" />';
    106         $output .= '<input type="hidden" class="menu-item-object" name="menu-item[' . $possible_object_id . '][menu-item-object]" value="'. esc_attr( $item->object ) .'" />';
    107         $output .= '<input type="hidden" class="menu-item-parent-id" name="menu-item[' . $possible_object_id . '][menu-item-parent-id]" value="'. esc_attr( $item->menu_item_parent ) .'" />';
    108         $output .= '<input type="hidden" class="menu-item-type" name="menu-item[' . $possible_object_id . '][menu-item-type]" value="'. esc_attr( $item->type ) .'" />';
    109         $output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="'. esc_attr( $item->title ) .'" />';
    110         $output .= '<input type="hidden" class="menu-item-url" name="menu-item[' . $possible_object_id . '][menu-item-url]" value="'. esc_attr( $item->url ) .'" />';
    111         $output .= '<input type="hidden" class="menu-item-target" name="menu-item[' . $possible_object_id . '][menu-item-target]" value="'. esc_attr( $item->target ) .'" />';
    112         $output .= '<input type="hidden" class="menu-item-attr_title" name="menu-item[' . $possible_object_id . '][menu-item-attr_title]" value="'. esc_attr( $item->attr_title ) .'" />';
    113         $output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="'. esc_attr( implode( ' ', $item->classes ) ) .'" />';
    114         $output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="'. esc_attr( $item->xfn ) .'" />';
     106        $output .= '<input type="hidden" class="menu-item-object" name="menu-item[' . $possible_object_id . '][menu-item-object]" value="' . esc_attr( $item->object ) . '" />';
     107        $output .= '<input type="hidden" class="menu-item-parent-id" name="menu-item[' . $possible_object_id . '][menu-item-parent-id]" value="' . esc_attr( $item->menu_item_parent ) . '" />';
     108        $output .= '<input type="hidden" class="menu-item-type" name="menu-item[' . $possible_object_id . '][menu-item-type]" value="' . esc_attr( $item->type ) . '" />';
     109        $output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . htmlspecialchars( $item->title, ENT_QUOTES ) . '" />';
     110        $output .= '<input type="hidden" class="menu-item-url" name="menu-item[' . $possible_object_id . '][menu-item-url]" value="' . esc_attr( $item->url ) . '" />';
     111        $output .= '<input type="hidden" class="menu-item-target" name="menu-item[' . $possible_object_id . '][menu-item-target]" value="' . esc_attr( $item->target ) . '" />';
     112        $output .= '<input type="hidden" class="menu-item-attr_title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . htmlspecialchars( $item->attr_title, ENT_QUOTES ) . '" />';
     113        $output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . htmlspecialchars( implode( ' ', $item->classes ), ENT_QUOTES ) . '" />';
     114        $output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . htmlspecialchars( $item->xfn, ENT_QUOTES ) . '" />';
    115115    }
    116116

  • branches/4.9/src/wp-admin/includes/class-walker-nav-menu-edit.php

    r41688 r62004  
    163163                    <label for="edit-menu-item-title-<?php echo $item_id; ?>">
    164164                        <?php _e( 'Navigation Label' ); ?><br />
    165                         <input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->title ); ?>" />
     165                        <input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->title, ENT_QUOTES ); ?>" />
    166166                    </label>
    167167                </p>
     
    169169                    <label for="edit-menu-item-attr-title-<?php echo $item_id; ?>">
    170170                        <?php _e( 'Title Attribute' ); ?><br />
    171                         <input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->post_excerpt ); ?>" />
     171                        <input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->post_excerpt, ENT_QUOTES ); ?>" />
    172172                    </label>
    173173                </p>
     
    181181                    <label for="edit-menu-item-classes-<?php echo $item_id; ?>">
    182182                        <?php _e( 'CSS Classes (optional)' ); ?><br />
    183                         <input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo esc_attr( implode(' ', $item->classes ) ); ?>" />
     183                        <input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( implode( ' ', $item->classes ), ENT_QUOTES ); ?>" />
    184184                    </label>
    185185                </p>
     
    187187                    <label for="edit-menu-item-xfn-<?php echo $item_id; ?>">
    188188                        <?php _e( 'Link Relationship (XFN)' ); ?><br />
    189                         <input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->xfn ); ?>" />
     189                        <input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->xfn, ENT_QUOTES ); ?>" />
    190190                    </label>
    191191                </p>

  • branches/4.9/src/wp-admin/includes/file.php

    r43705 r62004  
    12431243            continue;
    12441244
     1245        // Don't extract invalid files:
     1246        if ( 0 !== validate_file( $file['filename'] ) ) {
     1247            continue;
     1248        }
     1249
    12451250        $uncompressed_size += $file['size'];
    12461251

  • branches/4.9/src/wp-includes/ID3/getid3.lib.php

    r41196 r62004  
    541541            // https://core.trac.wordpress.org/changeset/29378
    542542            $loader = libxml_disable_entity_loader(true);
    543             $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT);
     543            $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', 0);
    544544            $return = self::SimpleXMLelement2array($XMLobject);
    545545            libxml_disable_entity_loader($loader);

  • branches/4.9/src/wp-includes/class-wp-http-ixr-client.php

    r37492 r62004  
    8787        }
    8888
    89         $response = wp_remote_post($url, $args);
     89        $response = wp_safe_remote_post( $url, $args );
    9090
    9191        if ( is_wp_error($response) ) {

  • branches/4.9/src/wp-includes/js/wp-util.js

    r41351 r62004  
    3333
    3434        return function ( data ) {
    35             compiled = compiled || _.template( $( '#tmpl-' + id ).html(),  options );
     35            var el = document.querySelector( 'script#tmpl-' + id );
     36            if ( ! el ) {
     37                throw new Error( 'Template not found: ' + '#tmpl-' + id );
     38            }
     39            compiled = compiled || _.template( $( el ).html(), options );
    3640            return compiled( data );
    3741        };

  • branches/4.9/src/wp-includes/kses.php

    r46918 r62004  
    541541    $allowed_protocols = wp_allowed_protocols();
    542542    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
    543    
     543
    544544    // Preserve leading and trailing whitespace.
    545545    $matches = array();
     
    553553        $string = substr( $string, strlen( $lead ), -strlen( $trail ) );
    554554    }
    555    
     555
    556556    // Parse attribute name and value from input.
    557557    $split = preg_split( '/\s*=\s*/', $string, 2 );
     
    590590        $vless = 'y';
    591591    }
    592    
     592
    593593    // Sanitize attribute by name.
    594594    wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );
     
    11251125        $xhtml_slash = '';
    11261126    }
    1127    
     1127
    11281128    // Split it
    11291129    $attrarr = wp_kses_hair_parse( $attr );
     
    11351135    array_unshift( $attrarr, $begin . $slash . $elname );
    11361136    array_push( $attrarr, $xhtml_slash . $end );
    1137    
     1137
    11381138    return $attrarr;
    11391139}
     
    14501450    $string = str_replace('&', '&amp;', $string);
    14511451
    1452     // Change back the allowed entities in our entity whitelist
    1453     $string = preg_replace_callback('/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string);
    1454     $string = preg_replace_callback('/&amp;#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string);
    1455     $string = preg_replace_callback('/&amp;#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string);
     1452    $string = preg_replace_callback( '/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string );
     1453    $string = preg_replace_callback( '/&amp;#(0*+[1-9][0-9]{0,6});/', 'wp_kses_normalize_entities2', $string );
     1454    $string = preg_replace_callback( '/&amp;#[Xx](0*+[1-9A-Fa-f][0-9A-Fa-f]{0,5});/', 'wp_kses_normalize_entities3', $string );
    14561455
    14571456    return $string;

  • branches/4.9/src/wp-includes/media.php

    r56865 r62004  
    31553155    }
    31563156
    3157     if ( $post_parent ) {
     3157    if ( $post_parent && current_user_can( 'read_post', $attachment->post_parent ) ) {
    31583158        $parent_type = get_post_type_object( $post_parent->post_type );
    31593159
     
    31623162        }
    31633163
    3164         if ( $parent_type && current_user_can( 'read_post', $attachment->post_parent ) ) {
     3164        if ( $parent_type ) {
    31653165            $response['uploadedToTitle'] = $post_parent->post_title ? $post_parent->post_title : __( '(no title)' );
    31663166        }

  • branches/4.9/src/wp-includes/nav-menu.php

    r42026 r62004  
    467467        }
    468468
    469         if ( $args['menu-item-title'] == $original_title )
     469        if ( wp_unslash( $args['menu-item-title'] ) === $original_title ) {
    470470            $args['menu-item-title'] = '';
     471        }
    471472
    472473        // hack to get wp to create a post object when too many properties are empty

  • branches/4.9/src/wp-includes/template-loader.php

    r38755 r62004  
    7171     * @param string $template The path of the template to include.
    7272     */
    73     if ( $template = apply_filters( 'template_include', $template ) ) {
    74         include( $template );
     73    $template   = apply_filters( 'template_include', $template );
     74    $is_stringy = is_string( $template ) || ( is_object( $template ) && method_exists( $template, '__toString' ) );
     75    $template   = $is_stringy ? realpath( (string) $template ) : null;
     76    if (
     77        is_string( $template ) &&
     78        ( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) &&
     79        is_file( $template ) &&
     80        is_readable( $template )
     81    ) {
     82        include $template;
    7583    } elseif ( current_user_can( 'switch_themes' ) ) {
    7684        $theme = wp_get_theme();
Note: See TracChangeset for help on using the changeset viewer.