Changeset 61953

Timestamp:

03/12/2026 02:06:43 AM (2 weeks ago)

Author:

peterwilsoncc

Message:

Grouped backports for the 5.7 branch.

• XML-RPC: Switch to wp_safe_remote() when fetching a pingback URL.
• HTML API: Prevent WP_HTML_Tag_Processor instances being unserialized and add some extra logic for validating pattern and template file paths.
• KSES: Optimize PCRE pattern detecting numeric character references.
• Customize: Improve escaping approach used for nav menu attributes.
• Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
• Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
• Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.

Merges [61879-61885,61887,61890,61913] to the 5.7 branch.

Props johnbillion, xknown, dmsnell, jorbin, peterwilson, desrosj, westonruter, jonsurrell, aurdasjb.

Location:

branches/5.7

Files:

• . (modified) (1 prop)
• src/js/_enqueues/wp/util.js (modified) (1 diff)
• src/wp-admin/includes/class-walker-nav-menu-checklist.php (modified) (1 diff)
• src/wp-admin/includes/class-walker-nav-menu-edit.php (modified) (4 diffs)
• src/wp-admin/includes/file.php (modified) (1 diff)
• src/wp-includes/ID3/getid3.lib.php (modified) (1 diff)
• src/wp-includes/class-wp-http-ixr-client.php (modified) (1 diff)
• src/wp-includes/kses.php (modified) (1 diff)
• src/wp-includes/media.php (modified) (1 diff)
• src/wp-includes/nav-menu.php (modified) (1 diff)
• src/wp-includes/template-loader.php (modified) (1 diff)
• tests/phpunit/tests/post/nav-menu.php (modified) (2 diffs)
• tools/local-env/scripts/install.js (modified) (1 diff)

branches/5.7/src/js/_enqueues/wp/util.js

@@ -37 +37 @@
 
         return function ( data ) {
-            compiled = compiled || _.template( $( '#tmpl-' + id ).html(),  options );
+            var el = document.querySelector( 'script#tmpl-' + id );
+            if ( ! el ) {
+                throw new Error( 'Template not found: ' + '#tmpl-' + id );
+            }
+            compiled = compiled || _.template( $( el ).html(), options );
             return compiled( data );
         };

branches/5.7/src/wp-admin/includes/class-walker-nav-menu-checklist.php

@@ -112 +112 @@
         $output .= '<input type="hidden" class="menu-item-parent-id" name="menu-item[' . $possible_object_id . '][menu-item-parent-id]" value="' . esc_attr( $item->menu_item_parent ) . '" />';
         $output .= '<input type="hidden" class="menu-item-type" name="menu-item[' . $possible_object_id . '][menu-item-type]" value="' . esc_attr( $item->type ) . '" />';
-        $output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . esc_attr( $item->title ) . '" />';
+        $output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . htmlspecialchars( $item->title, ENT_QUOTES ) . '" />';
         $output .= '<input type="hidden" class="menu-item-url" name="menu-item[' . $possible_object_id . '][menu-item-url]" value="' . esc_attr( $item->url ) . '" />';
         $output .= '<input type="hidden" class="menu-item-target" name="menu-item[' . $possible_object_id . '][menu-item-target]" value="' . esc_attr( $item->target ) . '" />';
-        $output .= '<input type="hidden" class="menu-item-attr-title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . esc_attr( $item->attr_title ) . '" />';
-        $output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . esc_attr( implode( ' ', $item->classes ) ) . '" />';
-        $output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . esc_attr( $item->xfn ) . '" />';
+        $output .= '<input type="hidden" class="menu-item-attr-title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . htmlspecialchars( $item->attr_title, ENT_QUOTES ) . '" />';
+        $output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . htmlspecialchars( implode( ' ', $item->classes ), ENT_QUOTES ) . '" />';
+        $output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . htmlspecialchars( $item->xfn, ENT_QUOTES ) . '" />';
     }
 

branches/5.7/src/wp-admin/includes/class-walker-nav-menu-edit.php

@@ -193 +193 @@
                     <label for="edit-menu-item-title-<?php echo $item_id; ?>">
                         <?php _e( 'Navigation Label' ); ?><br />
-                        <input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->title ); ?>" />
+                        <input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->title, ENT_QUOTES ); ?>" />
                     </label>
                 </p>
@@ -199 +199 @@
                     <label for="edit-menu-item-attr-title-<?php echo $item_id; ?>">
                         <?php _e( 'Title Attribute' ); ?><br />
-                        <input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->post_excerpt ); ?>" />
+                        <input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->post_excerpt, ENT_QUOTES ); ?>" />
                     </label>
                 </p>
@@ -211 +211 @@
                     <label for="edit-menu-item-classes-<?php echo $item_id; ?>">
                         <?php _e( 'CSS Classes (optional)' ); ?><br />
-                        <input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo esc_attr( implode( ' ', $item->classes ) ); ?>" />
+                        <input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( implode( ' ', $item->classes ), ENT_QUOTES ); ?>" />
                     </label>
                 </p>
@@ -217 +217 @@
                     <label for="edit-menu-item-xfn-<?php echo $item_id; ?>">
                         <?php _e( 'Link Relationship (XFN)' ); ?><br />
-                        <input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->xfn ); ?>" />
+                        <input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->xfn, ENT_QUOTES ); ?>" />
                     </label>
                 </p>

branches/5.7/src/wp-admin/includes/file.php

@@ -1691 +1691 @@
         }
 
+        // Don't extract invalid files:
+        if ( 0 !== validate_file( $file['filename'] ) ) {
+            continue;
+        }
+
         $uncompressed_size += $file['size'];
 

branches/5.7/src/wp-includes/ID3/getid3.lib.php

@@ -724 +724 @@
             // https://core.trac.wordpress.org/changeset/29378
             // This function has been deprecated in PHP 8.0 because in libxml 2.9.0, external entity loading is
-            // disabled by default, but is still needed when LIBXML_NOENT is used.
+            // disabled by default.
             $loader = @libxml_disable_entity_loader(true);
-            $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT);
+            $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', 0);
             $return = self::SimpleXMLelement2array($XMLobject);
             @libxml_disable_entity_loader($loader);

branches/5.7/src/wp-includes/class-wp-http-ixr-client.php

@@ -89 +89 @@
         }
 
-        $response = wp_remote_post( $url, $args );
+        $response = wp_safe_remote_post( $url, $args );
 
         if ( is_wp_error( $response ) ) {

branches/5.7/src/wp-includes/kses.php

@@ -1801 +1801 @@
         $string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string );
     }
-    $string = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string );
-    $string = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string );
+    $string = preg_replace_callback( '/&#(0*[1-9][0-9]{0,6});/', 'wp_kses_normalize_entities2', $string );
+    $string = preg_replace_callback( '/&#[Xx](0*[1-9A-Fa-f][0-9A-Fa-f]{0,5});/', 'wp_kses_normalize_entities3', $string );
 
     return $string;

branches/5.7/src/wp-includes/media.php

@@ -3987 +3987 @@
     if ( $attachment->post_parent ) {
         $post_parent = get_post( $attachment->post_parent );
-        if ( $post_parent ) {
+        if ( $post_parent && current_user_can( 'read_post', $attachment->post_parent ) ) {
             $response['uploadedToTitle'] = $post_parent->post_title ? $post_parent->post_title : __( '(no title)' );
             $response['uploadedToLink']  = get_edit_post_link( $attachment->post_parent, 'raw' );

branches/5.7/src/wp-includes/nav-menu.php

@@ -495 +495 @@
         }
 
-        if ( wp_unslash( $args['menu-item-title'] ) === wp_specialchars_decode( $original_title ) ) {
+        if ( wp_unslash( $args['menu-item-title'] ) === $original_title ) {
             $args['menu-item-title'] = '';
         }

branches/5.7/src/wp-includes/template-loader.php

@@ -102 +102 @@
      * @param string $template The path of the template to include.
      */
-    $template = apply_filters( 'template_include', $template );
-    if ( $template ) {
+    $template   = apply_filters( 'template_include', $template );
+    $is_stringy = is_string( $template ) || ( is_object( $template ) && method_exists( $template, '__toString' ) );
+    $template   = $is_stringy ? realpath( (string) $template ) : null;
+    if (
+        is_string( $template ) &&
+        ( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) &&
+        is_file( $template ) &&
+        is_readable( $template )
+    ) {
         include $template;
     } elseif ( current_user_can( 'switch_themes' ) ) {

branches/5.7/tests/phpunit/tests/post/nav-menu.php

@@ -974 +974 @@
         );
 
+        $this->assertSame( 'Test Cat - "Pre-Slashed" Cat Name & >', $category->name );
+
         $category_item_id = wp_update_nav_menu_item(
             $this->menu_id,
@@ -982 +984 @@
                 'menu-item-object-id' => $category->term_id,
                 'menu-item-status'    => 'publish',
-                /*
-                 * Interestingly enough, if we use `$cat->name` for the menu item title,
-                 * we won't be able to replicate the bug because it's in htmlentities form.
-                 */
-                'menu-item-title'     => $category_name,
+                'menu-item-title'     => $category->name,
             )
         );

branches/5.7/tools/local-env/scripts/install.js

@@ -38 +38 @@
         wp_cli( 'db reset --yes' );
         wp_cli( `core install --title="WordPress Develop" --admin_user=admin --admin_password=password --admin_email=test@test.com --skip-email --url=http://localhost:${process.env.LOCAL_PORT}` );
+        wp_cli( `rewrite structure '/%year%/%monthnum%/%postname%/'` );
     } );