From 7fba67e4b7ed27407e57dcfcd3f3870b6e9de6cc Mon Sep 17 00:00:00 2001
From: "Dominik Schilling (ocean90)" <ocean90@git.wordpress.org>
Date: Wed, 15 Apr 2015 16:32:03 +0000
Subject: [PATCH] Customizer: Escape theme preview URLs.

props johnbillion, ocean90.
see #31896.

git-svn-id: https://develop.svn.wordpress.org/trunk@32134 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/includes/theme.php                | 4 +++-
 src/wp-includes/class-wp-customize-control.php | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/wp-admin/includes/theme.php b/src/wp-admin/includes/theme.php
index 4024b395f4..a8c1fc0d50 100644
--- a/src/wp-admin/includes/theme.php
+++ b/src/wp-admin/includes/theme.php
@@ -511,6 +511,8 @@ function wp_prepare_themes_for_js( $themes = null ) {
  * @since 4.2.0
  */
 function customize_themes_print_templates() {
+	$preview_url = esc_url( add_query_arg( 'theme', '__THEME__' ) ); // Token because esc_url() strips curly braces.
+	$preview_url = str_replace( '__THEME__', '{{ data.id }}', $preview_url );
 	?>
 	<script type="text/html" id="tmpl-customize-themes-details-view">
 		<div class="theme-backdrop"></div>
@@ -550,7 +552,7 @@ function customize_themes_print_templates() {
 			<# if ( ! data.active ) { #>
 				<div class="theme-actions">
 					<div class="inactive-theme">
-						<a href="<?php echo add_query_arg( 'theme', '{{ data.id }}' ); ?>" target="_top" class="button button-primary"><?php _e( 'Live Preview' ); ?></a>
+						<a href="<?php echo $preview_url; ?>" target="_top" class="button button-primary"><?php _e( 'Live Preview' ); ?></a>
 					</div>
 				</div>
 			<# } #>
diff --git a/src/wp-includes/class-wp-customize-control.php b/src/wp-includes/class-wp-customize-control.php
index 024f16cfec..4ac0befb89 100644
--- a/src/wp-includes/class-wp-customize-control.php
+++ b/src/wp-includes/class-wp-customize-control.php
@@ -1243,7 +1243,8 @@ class WP_Customize_Theme_Control extends WP_Customize_Control {
 	 */
 	public function content_template() {
 		$current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
-		$preview_url = add_query_arg( 'theme', '{{ data.theme.id }}', $current_url );
+		$preview_url = esc_url( add_query_arg( 'theme', '__THEME__', $current_url ) ); // Token because esc_url() strips curly braces.
+		$preview_url = str_replace( '__THEME__', '{{ data.theme.id }}', $preview_url );
 		?>
 		<div class="theme" tabindex="0" data-preview-url="<?php echo esc_attr( $preview_url ); ?>" aria-describedby="{{ data.theme.id }}-action {{ data.theme.id }}-name">
 			<# if ( data.theme.screenshot[0] ) { #>