From ae0d5be06c7dda4a0494fc0e656a54d177ca1643 Mon Sep 17 00:00:00 2001 From: Ryan Boren Date: Sat, 10 Dec 2011 18:26:48 +0000 Subject: [PATCH] Best practice, use wp_safe_redirect() when dealing with referrers. Props nacin. git-svn-id: https://develop.svn.wordpress.org/trunk@19579 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-admin/edit-comments.php | 4 ++-- wp-admin/includes/misc.php | 2 +- wp-admin/network/site-themes.php | 4 ++-- wp-admin/network/site-users.php | 4 ++-- wp-admin/network/sites.php | 22 +++++++++++----------- wp-admin/network/themes.php | 14 +++++++------- wp-admin/network/users.php | 2 +- 7 files changed, 26 insertions(+), 26 deletions(-) diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php index e232e5deb4..224d36741c 100644 --- a/wp-admin/edit-comments.php +++ b/wp-admin/edit-comments.php @@ -30,7 +30,7 @@ if ( $doaction ) { } elseif ( isset( $_REQUEST['ids'] ) ) { $comment_ids = array_map( 'absint', explode( ',', $_REQUEST['ids'] ) ); } elseif ( wp_get_referer() ) { - wp_redirect( wp_get_referer() ); + wp_safe_redirect( wp_get_referer() ); exit; } @@ -92,7 +92,7 @@ if ( $doaction ) { if ( $trashed || $spammed ) $redirect_to = add_query_arg( 'ids', join( ',', $comment_ids ), $redirect_to ); - wp_redirect( $redirect_to ); + wp_safe_redirect( $redirect_to ); exit; } elseif ( ! empty( $_GET['_wp_http_referer'] ) ) { wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), stripslashes( $_SERVER['REQUEST_URI'] ) ) ); diff --git a/wp-admin/includes/misc.php b/wp-admin/includes/misc.php index e1670f1a2e..594ec7a7fd 100644 --- a/wp-admin/includes/misc.php +++ b/wp-admin/includes/misc.php @@ -367,7 +367,7 @@ function set_screen_options() { } update_user_meta($user->ID, $option, $value); - wp_redirect( remove_query_arg( array('pagenum', 'apage', 'paged'), wp_get_referer() ) ); + wp_safe_redirect( remove_query_arg( array('pagenum', 'apage', 'paged'), wp_get_referer() ) ); exit; } } diff --git a/wp-admin/network/site-themes.php b/wp-admin/network/site-themes.php index 6468175943..0ff479acb7 100644 --- a/wp-admin/network/site-themes.php +++ b/wp-admin/network/site-themes.php @@ -118,12 +118,12 @@ if ( $action ) { update_option( 'allowedthemes', $allowed_themes ); restore_current_blog(); - wp_redirect( add_query_arg( array( 'id' => $id, $action => $n ), $referer ) ); + wp_safe_redirect( add_query_arg( array( 'id' => $id, $action => $n ), $referer ) ); exit; } if ( isset( $_GET['action'] ) && 'update-site' == $_GET['action'] ) { - wp_redirect( $referer ); + wp_safe_redirect( $referer ); exit(); } diff --git a/wp-admin/network/site-users.php b/wp-admin/network/site-users.php index b45617fd78..743e9053e0 100644 --- a/wp-admin/network/site-users.php +++ b/wp-admin/network/site-users.php @@ -153,12 +153,12 @@ if ( $action ) { } restore_current_blog(); - wp_redirect( add_query_arg( 'update', $update, $referer ) ); + wp_safe_redirect( add_query_arg( 'update', $update, $referer ) ); exit(); } if ( isset( $_GET['action'] ) && 'update-site' == $_GET['action'] ) { - wp_redirect( $referer ); + wp_safe_redirect( $referer ); exit(); } diff --git a/wp-admin/network/sites.php b/wp-admin/network/sites.php index 5ed6d3468a..95902ebbd4 100644 --- a/wp-admin/network/sites.php +++ b/wp-admin/network/sites.php @@ -63,9 +63,9 @@ if ( isset( $_GET['action'] ) ) { if ( $id != '0' && $id != $current_site->blog_id && current_user_can( 'delete_site', $id ) ) { wpmu_delete_blog( $id, true ); - wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'delete' ), wp_get_referer() ) ); + wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'delete' ), wp_get_referer() ) ); } else { - wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'not_deleted' ), wp_get_referer() ) ); + wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'not_deleted' ), wp_get_referer() ) ); } exit(); @@ -110,7 +110,7 @@ if ( isset( $_GET['action'] ) ) { } } - wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => $blogfunction ), wp_get_referer() ) ); + wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => $blogfunction ), wp_get_referer() ) ); } else { wp_redirect( network_admin_url( 'sites.php' ) ); } @@ -123,7 +123,7 @@ if ( isset( $_GET['action'] ) ) { wp_die( __( 'You do not have permission to access this page.' ) ); update_blog_status( $id, 'archived', '1' ); - wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'archive' ), wp_get_referer() ) ); + wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'archive' ), wp_get_referer() ) ); exit(); break; @@ -133,7 +133,7 @@ if ( isset( $_GET['action'] ) ) { wp_die( __( 'You do not have permission to access this page.' ) ); update_blog_status( $id, 'archived', '0' ); - wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'unarchive' ), wp_get_referer() ) ); + wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'unarchive' ), wp_get_referer() ) ); exit(); break; @@ -144,7 +144,7 @@ if ( isset( $_GET['action'] ) ) { update_blog_status( $id, 'deleted', '0' ); do_action( 'activate_blog', $id ); - wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'activate' ), wp_get_referer() ) ); + wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'activate' ), wp_get_referer() ) ); exit(); break; @@ -155,7 +155,7 @@ if ( isset( $_GET['action'] ) ) { do_action( 'deactivate_blog', $id ); update_blog_status( $id, 'deleted', '1' ); - wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'deactivate' ), wp_get_referer() ) ); + wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'deactivate' ), wp_get_referer() ) ); exit(); break; @@ -165,7 +165,7 @@ if ( isset( $_GET['action'] ) ) { wp_die( __( 'You do not have permission to access this page.' ) ); update_blog_status( $id, 'spam', '0' ); - wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'unspam' ), wp_get_referer() ) ); + wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'unspam' ), wp_get_referer() ) ); exit(); break; @@ -175,7 +175,7 @@ if ( isset( $_GET['action'] ) ) { wp_die( __( 'You do not have permission to access this page.' ) ); update_blog_status( $id, 'spam', '1' ); - wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'spam' ), wp_get_referer() ) ); + wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'spam' ), wp_get_referer() ) ); exit(); break; @@ -185,7 +185,7 @@ if ( isset( $_GET['action'] ) ) { wp_die( __( 'You do not have permission to access this page.' ) ); update_blog_status( $id, 'mature', '0' ); - wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'unmature' ), wp_get_referer() ) ); + wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'unmature' ), wp_get_referer() ) ); exit(); break; @@ -195,7 +195,7 @@ if ( isset( $_GET['action'] ) ) { wp_die( __( 'You do not have permission to access this page.' ) ); update_blog_status( $id, 'mature', '1' ); - wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'mature' ), wp_get_referer() ) ); + wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'mature' ), wp_get_referer() ) ); exit(); break; diff --git a/wp-admin/network/themes.php b/wp-admin/network/themes.php index c9d09913ed..611c0957f4 100644 --- a/wp-admin/network/themes.php +++ b/wp-admin/network/themes.php @@ -47,33 +47,33 @@ if ( $action ) { check_admin_referer('disable-theme_' . $_GET['theme']); unset( $allowed_themes[ $_GET['theme'] ] ); update_site_option( 'allowedthemes', $allowed_themes ); - wp_redirect( add_query_arg( 'disabled', '1', $referer ) ); + wp_safe_redirect( add_query_arg( 'disabled', '1', $referer ) ); exit; break; case 'enable-selected': check_admin_referer('bulk-themes'); $themes = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array(); if ( empty($themes) ) { - wp_redirect( add_query_arg( 'error', 'none', $referer ) ); + wp_safe_redirect( add_query_arg( 'error', 'none', $referer ) ); exit; } foreach( (array) $themes as $theme ) $allowed_themes[ $theme ] = true; update_site_option( 'allowedthemes', $allowed_themes ); - wp_redirect( add_query_arg( 'enabled', count( $themes ), $referer ) ); + wp_safe_redirect( add_query_arg( 'enabled', count( $themes ), $referer ) ); exit; break; case 'disable-selected': check_admin_referer('bulk-themes'); $themes = isset( $_POST['checked'] ) ? (array) $_POST['checked'] : array(); if ( empty($themes) ) { - wp_redirect( add_query_arg( 'error', 'none', $referer ) ); + wp_safe_redirect( add_query_arg( 'error', 'none', $referer ) ); exit; } foreach( (array) $themes as $theme ) unset( $allowed_themes[ $theme ] ); update_site_option( 'allowedthemes', $allowed_themes ); - wp_redirect( add_query_arg( 'disabled', count( $themes ), $referer ) ); + wp_safe_redirect( add_query_arg( 'disabled', count( $themes ), $referer ) ); exit; break; case 'update-selected' : @@ -117,7 +117,7 @@ if ( $action ) { unset( $themes[ get_option( 'stylesheet' ) ] ); if ( empty( $themes ) ) { - wp_redirect( add_query_arg( 'error', 'none', $referer ) ); + wp_safe_redirect( add_query_arg( 'error', 'none', $referer ) ); exit; } @@ -134,7 +134,7 @@ if ( $action ) { } if ( empty( $themes ) ) { - wp_redirect( add_query_arg( 'error', 'main', $referer ) ); + wp_safe_redirect( add_query_arg( 'error', 'main', $referer ) ); exit; } diff --git a/wp-admin/network/users.php b/wp-admin/network/users.php index 92695b9655..25d853d9f0 100644 --- a/wp-admin/network/users.php +++ b/wp-admin/network/users.php @@ -166,7 +166,7 @@ if ( isset( $_GET['action'] ) ) { } } - wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => $userfunction ), wp_get_referer() ) ); + wp_safe_redirect( add_query_arg( array( 'updated' => 'true', 'action' => $userfunction ), wp_get_referer() ) ); } else { $location = network_admin_url( 'users.php' );