mirror/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2026-06-19 07:37:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Grouped backports for the 5.5 branch.

Browse Source 
- XML-RPC: Switch to `wp_safe_remote()` when fetching a pingback URL.
- HTML API: Prevent `WP_HTML_Tag_Processor` instances being unserialized and add some extra logic for validating pattern and template file paths.
- KSES: Optimize PCRE pattern detecting numeric character references.
- Customize: Improve escaping approach used for nav menu attributes.
- Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
- Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
- Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.

Merges [61879-61885,61887,61890,61913] to the 5.5 branch.

Props johnbillion, xknown, dmsnell, jorbin, peterwilson, desrosj, westonruter, jonsurrell, aurdasjb.



Built from https://develop.svn.wordpress.org/branches/5.5@61955


git-svn-id: http://core.svn.wordpress.org/branches/5.5@61237 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Peter Wilson
2026-03-12 02:17:05 +00:00
parent bdf1ccb89d
commit 7b1fc71a80
11 changed files with 35 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
wp-admin/includes/class-walker-nav-menu-checklist.php
+4 -4
View File
@@ -111,12 +111,12 @@ class Walker_Nav_Menu_Checklist extends Walker_Nav_Menu {
$output .= '<input type="hidden" class="menu-item-object" name="menu-item[' . $possible_object_id . '][menu-item-object]" value="' . esc_attr( $item->object ) . '" />';
$output .= '<input type="hidden" class="menu-item-parent-id" name="menu-item[' . $possible_object_id . '][menu-item-parent-id]" value="' . esc_attr( $item->menu_item_parent ) . '" />';
$output .= '<input type="hidden" class="menu-item-type" name="menu-item[' . $possible_object_id . '][menu-item-type]" value="' . esc_attr( $item->type ) . '" />';
$output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . esc_attr( $item->title ) . '" />';
$output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . htmlspecialchars( $item->title, ENT_QUOTES ) . '" />';
$output .= '<input type="hidden" class="menu-item-url" name="menu-item[' . $possible_object_id . '][menu-item-url]" value="' . esc_attr( $item->url ) . '" />';
$output .= '<input type="hidden" class="menu-item-target" name="menu-item[' . $possible_object_id . '][menu-item-target]" value="' . esc_attr( $item->target ) . '" />';
$output .= '<input type="hidden" class="menu-item-attr-title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . esc_attr( $item->attr_title ) . '" />';
$output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . esc_attr( implode( ' ', $item->classes ) ) . '" />';
$output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . esc_attr( $item->xfn ) . '" />';
$output .= '<input type="hidden" class="menu-item-attr-title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . htmlspecialchars( $item->attr_title, ENT_QUOTES ) . '" />';
$output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . htmlspecialchars( implode( ' ', $item->classes ), ENT_QUOTES ) . '" />';
$output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . htmlspecialchars( $item->xfn, ENT_QUOTES ) . '" />';
}
}
wp-admin/includes/class-walker-nav-menu-edit.php
+4 -4
View File
@@ -192,13 +192,13 @@ class Walker_Nav_Menu_Edit extends Walker_Nav_Menu {
<p class="description description-wide">
<label for="edit-menu-item-title-<?php echo $item_id; ?>">
<?php _e( 'Navigation Label' ); ?><br />
<input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->title ); ?>" />
<input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->title, ENT_QUOTES ); ?>" />
</label>
</p>
<p class="field-title-attribute field-attr-title description description-wide">
<label for="edit-menu-item-attr-title-<?php echo $item_id; ?>">
<?php _e( 'Title Attribute' ); ?><br />
<input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->post_excerpt ); ?>" />
<input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->post_excerpt, ENT_QUOTES ); ?>" />
</label>
</p>
<p class="field-link-target description">
@@ -210,13 +210,13 @@ class Walker_Nav_Menu_Edit extends Walker_Nav_Menu {
<p class="field-css-classes description description-thin">
<label for="edit-menu-item-classes-<?php echo $item_id; ?>">
<?php _e( 'CSS Classes (optional)' ); ?><br />
<input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo esc_attr( implode( ' ', $item->classes ) ); ?>" />
<input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( implode( ' ', $item->classes ), ENT_QUOTES ); ?>" />
</label>
</p>
<p class="field-xfn description description-thin">
<label for="edit-menu-item-xfn-<?php echo $item_id; ?>">
<?php _e( 'Link Relationship (XFN)' ); ?><br />
<input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->xfn ); ?>" />
<input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->xfn, ENT_QUOTES ); ?>" />
</label>
</p>
<p class="field-description description description-wide">
wp-admin/includes/file.php
+5
View File
@@ -1657,6 +1657,11 @@ function _unzip_file_pclzip( $file, $to, $needed_dirs = array() ) {
continue;
}
// Don't extract invalid files:
if ( 0 !== validate_file( $file['filename'] ) ) {
continue;
}
$uncompressed_size += $file['size'];
$needed_dirs[] = $to . untrailingslashit( $file['folder'] ? $file['filename'] : dirname( $file['filename'] ) );
wp-includes/ID3/getid3.lib.php
+1 -1
View File
@@ -723,7 +723,7 @@ class getid3_lib
// http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
// https://core.trac.wordpress.org/changeset/29378
$loader = libxml_disable_entity_loader(true);
$XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT);
$XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', 0);
$return = self::SimpleXMLelement2array($XMLobject);
libxml_disable_entity_loader($loader);
return $return;
wp-includes/class-wp-http-ixr-client.php
+1 -1
View File
@@ -88,7 +88,7 @@ class WP_HTTP_IXR_Client extends IXR_Client {
echo '<pre class="ixr_request">' . htmlspecialchars( $xml ) . "\n</pre>\n\n";
}
$response = wp_remote_post( $url, $args );
$response = wp_safe_remote_post( $url, $args );
if ( is_wp_error( $response ) ) {
$errno = $response->get_error_code();
wp-includes/js/wp-util.js
+5 -1
View File
@@ -36,7 +36,11 @@ window.wp = window.wp || {};
};
return function ( data ) {
compiled = compiled || _.template( $( '#tmpl-' + id ).html(), options );
var el = document.querySelector( 'script#tmpl-' + id );
if ( ! el ) {
throw new Error( 'Template not found: ' + '#tmpl-' + id );
}
compiled = compiled || _.template( $( el ).html(), options );
return compiled( data );
};
});
wp-includes/js/wp-util.min.js
Vendored
+1 -1
View File
@@ -1,2 +1,2 @@
/*! This file is auto-generated */
window.wp=window.wp||{},function(i){var e="undefined"==typeof _wpUtilSettings?{}:_wpUtilSettings;wp.template=_.memoize(function(t){var n,s={evaluate:/<#([\s\S]+?)#>/g,interpolate:/\{\{\{([\s\S]+?)\}\}\}/g,escape:/\{\{([^\}]+?)\}\}(?!\})/g,variable:"data"};return function(e){return(n=n||_.template(i("#tmpl-"+t).html(),s))(e)}}),wp.ajax={settings:e.ajax||{},post:function(e,t){return wp.ajax.send({data:_.isObject(e)?e:_.extend(t||{},{action:e})})},send:function(e,n){var t;return _.isObject(e)?n=e:(n=n||{}).data=_.extend(n.data||{},{action:e}),n=_.defaults(n||{},{type:"POST",url:wp.ajax.settings.url,context:this}),(e=(t=i.Deferred(function(t){n.success&&t.done(n.success),n.error&&t.fail(n.error),delete n.success,delete n.error,t.jqXHR=i.ajax(n).done(function(e){"1"!==e&&1!==e||(e={success:!0}),_.isObject(e)&&!_.isUndefined(e.success)?t[e.success?"resolveWith":"rejectWith"](this,[e.data]):t.rejectWith(this,[e])}).fail(function(){t.rejectWith(this,arguments)})})).promise()).abort=function(){return t.jqXHR.abort(),this},e}}}(jQuery);
window.wp=window.wp||{},function(i){var e="undefined"==typeof _wpUtilSettings?{}:_wpUtilSettings;wp.template=_.memoize(function(n){var r,s={evaluate:/<#([\s\S]+?)#>/g,interpolate:/\{\{\{([\s\S]+?)\}\}\}/g,escape:/\{\{([^\}]+?)\}\}(?!\})/g,variable:"data"};return function(e){var t=document.querySelector("script#tmpl-"+n);if(!t)throw new Error("Template not found: #tmpl-"+n);return(r=r||_.template(i(t).html(),s))(e)}}),wp.ajax={settings:e.ajax||{},post:function(e,t){return wp.ajax.send({data:_.isObject(e)?e:_.extend(t||{},{action:e})})},send:function(e,n){var t;return _.isObject(e)?n=e:(n=n||{}).data=_.extend(n.data||{},{action:e}),n=_.defaults(n||{},{type:"POST",url:wp.ajax.settings.url,context:this}),(e=(t=i.Deferred(function(t){n.success&&t.done(n.success),n.error&&t.fail(n.error),delete n.success,delete n.error,t.jqXHR=i.ajax(n).done(function(e){"1"!==e&&1!==e||(e={success:!0}),_.isObject(e)&&!_.isUndefined(e.success)?t[e.success?"resolveWith":"rejectWith"](this,[e.data]):t.rejectWith(this,[e])}).fail(function(){t.rejectWith(this,arguments)})})).promise()).abort=function(){return t.jqXHR.abort(),this},e}}}(jQuery);
wp-includes/kses.php
+2 -2
View File
@@ -1800,8 +1800,8 @@ function wp_kses_normalize_entities( $string, $context = 'html' ) {
} else {
$string = preg_replace_callback( '/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string );
}
$string = preg_replace_callback( '/&amp;#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string );
$string = preg_replace_callback( '/&amp;#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string );
$string = preg_replace_callback( '/&amp;#(0*[1-9][0-9]{0,6});/', 'wp_kses_normalize_entities2', $string );
$string = preg_replace_callback( '/&amp;#[Xx](0*[1-9A-Fa-f][0-9A-Fa-f]{0,5});/', 'wp_kses_normalize_entities3', $string );
return $string;
}
wp-includes/media.php
+2 -2
View File
@@ -3812,14 +3812,14 @@ function wp_prepare_attachment_for_js( $attachment ) {
$post_parent = false;
}
if ( $post_parent ) {
if ( $post_parent && current_user_can( 'read_post', $attachment->post_parent ) ) {
$parent_type = get_post_type_object( $post_parent->post_type );
if ( $parent_type && $parent_type->show_ui && current_user_can( 'edit_post', $attachment->post_parent ) ) {
$response['uploadedToLink'] = get_edit_post_link( $attachment->post_parent, 'raw' );
}
if ( $parent_type && current_user_can( 'read_post', $attachment->post_parent ) ) {
if ( $parent_type ) {
$response['uploadedToTitle'] = $post_parent->post_title ? $post_parent->post_title : __( '(no title)' );
}
}
wp-includes/nav-menu.php
+1 -1
View File
@@ -492,7 +492,7 @@ function wp_update_nav_menu_item( $menu_id = 0, $menu_item_db_id = 0, $menu_item
}
}
if ( wp_unslash( $args['menu-item-title'] ) === wp_specialchars_decode( $original_title ) ) {
if ( wp_unslash( $args['menu-item-title'] ) === $original_title ) {
$args['menu-item-title'] = '';
}
wp-includes/template-loader.php
+9 -2
View File
@@ -101,8 +101,15 @@ if ( wp_using_themes() ) {
*
* @param string $template The path of the template to include.
*/
$template = apply_filters( 'template_include', $template );
if ( $template ) {
$template = apply_filters( 'template_include', $template );
$is_stringy = is_string( $template ) || ( is_object( $template ) && method_exists( $template, '__toString' ) );
$template = $is_stringy ? realpath( (string) $template ) : null;
if (
is_string( $template ) &&
( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) &&
is_file( $template ) &&
is_readable( $template )
) {
include $template;
} elseif ( current_user_can( 'switch_themes' ) ) {
$theme = wp_get_theme();