Changeset 62001 for branches/5.2/src/wp-includes/template-loader.php

Timestamp:

03/13/2026 12:29:20 PM (2 weeks ago)

Author:

johnbillion

Message:

Grouped backports for the 5.2 branch.

• XML-RPC: Switch to wp_safe_remote() when fetching a pingback URL.
• HTML API: Prevent WP_HTML_Tag_Processor instances being unserialized and add some extra logic for validating pattern and template file paths.
• KSES: Optimize PCRE pattern detecting numeric character references.
• Customize: Improve escaping approach used for nav menu attributes.
• Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
• Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
• Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.

Merges [61879-61884,61886-61887,61890,61913] to the 5.2 branch.

Props johnbillion, xknown, dmsnell, jorbin, peterwilson, desrosj, westonruter, jonsurrell, aurdasjb.

Location:

branches/5.2

Files:

• . (modified) (1 prop)
• src/wp-includes/template-loader.php (modified) (1 diff)

branches/5.2/src/wp-includes/template-loader.php

@@ -75 +75 @@
      * @param string $template The path of the template to include.
      */
-    if ( $template = apply_filters( 'template_include', $template ) ) {
-        include( $template );
+    $template   = apply_filters( 'template_include', $template );
+    $is_stringy = is_string( $template ) || ( is_object( $template ) && method_exists( $template, '__toString' ) );
+    $template   = $is_stringy ? realpath( (string) $template ) : null;
+    if (
+        is_string( $template ) &&
+        ( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) &&
+        is_file( $template ) &&
+        is_readable( $template )
+    ) {
+        include $template;
     } elseif ( current_user_can( 'switch_themes' ) ) {
         $theme = wp_get_theme();