diff --git a/src/wp-admin/customize.php b/src/wp-admin/customize.php index 29ae035599..7e69d13488 100644 --- a/src/wp-admin/customize.php +++ b/src/wp-admin/customize.php @@ -12,16 +12,20 @@ define( 'IFRAME_REQUEST', true ); /** Load WordPress Administration Bootstrap */ require_once( dirname( __FILE__ ) . '/admin.php' ); -if ( ! current_user_can( 'edit_theme_options' ) ) +if ( ! current_user_can( 'edit_theme_options' ) ) { wp_die( __( 'Cheatin’ uh?' ) ); +} wp_reset_vars( array( 'url', 'return' ) ); -$url = urldecode( $url ); +$url = wp_unslash( $url ); $url = wp_validate_redirect( $url, home_url( '/' ) ); -if ( $return ) - $return = wp_validate_redirect( urldecode( $return ) ); -if ( ! $return ) +if ( $return ) { + $return = wp_unslash( $return ); + $return = wp_validate_redirect( $return ); +} +if ( ! $return ) { $return = $url; +} global $wp_scripts, $wp_customize; diff --git a/src/wp-admin/menu.php b/src/wp-admin/menu.php index 4008a0986d..4910fd456a 100644 --- a/src/wp-admin/menu.php +++ b/src/wp-admin/menu.php @@ -146,9 +146,13 @@ $appearance_cap = current_user_can( 'switch_themes') ? 'switch_themes' : 'edit_t $menu[60] = array( __('Appearance'), $appearance_cap, 'themes.php', '', 'menu-top menu-icon-appearance', 'menu-appearance', 'dashicons-admin-appearance' ); $submenu['themes.php'][5] = array( __( 'Themes' ), $appearance_cap, 'themes.php' ); - $submenu['themes.php'][6] = array( __( 'Customize' ), 'edit_theme_options', 'customize.php', 'hide-if-no-customize' ); - if ( current_theme_supports( 'menus' ) || current_theme_supports( 'widgets' ) ) + + $customize_url = add_query_arg( 'return', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), 'customize.php' ); + $submenu['themes.php'][6] = array( __( 'Customize' ), 'edit_theme_options', $customize_url, 'hide-if-no-customize' ); + unset( $customize_url ); + if ( current_theme_supports( 'menus' ) || current_theme_supports( 'widgets' ) ) { $submenu['themes.php'][10] = array(__( 'Menus' ), 'edit_theme_options', 'nav-menus.php'); + } unset( $appearance_cap );