Always URL-encode a stylesheet directory value before using it in a URL. These situations are saved by wp_nonce_url(), but we should not depend on that. see #21749, for trunk only.

git-svn-id: https://develop.svn.wordpress.org/trunk@21755 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 14:20:15 +00:00 · 2012-09-04 22:35:12 +00:00
parent a064f74572
commit 2951df0632
5 changed files with 21 additions and 20 deletions
--- a/wp-admin/theme-editor.php
+++ b/wp-admin/theme-editor.php
@@ -46,7 +46,7 @@ get_current_screen()->set_help_sidebar(
 wp_reset_vars( array( 'action', 'error', 'file', 'theme' ) );

 if ( $theme )
-	$stylesheet = urldecode( $theme );
+	$stylesheet = $theme;
 else
 	$stylesheet = get_stylesheet();

@@ -68,7 +68,7 @@ if ( empty( $file ) ) {
 	$relative_file = 'style.css';
 	$file = $allowed_files['style.css'];
 } else {
-	$relative_file = urldecode( stripslashes( $file ) );
+	$relative_file = stripslashes( $file );
 	$file = $theme->get_stylesheet_directory() . '/' . $relative_file;
 }