Grouped backports for the 4.8 branch.

- XML-RPC: Switch to `wp_safe_remote()` when fetching a pingback URL.
- HTML API: Prevent `WP_HTML_Tag_Processor` instances being unserialized and add some extra logic for validating pattern and template file paths.
- KSES: Optimize PCRE pattern detecting numeric character references.
- Customize: Improve escaping approach used for nav menu attributes.
- Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
- Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
- Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.

Merges [61879-61884,61886-61887,61890,61913] to the 4.8 branch.

Props johnbillion, xknown, dmsnell, jorbin, peterwilson, desrosj, westonruter, jonsurrell, aurdasjb.


git-svn-id: https://develop.svn.wordpress.org/branches/4.8@62005 602fd350-edb4-49c9-b593-d223f7449a82

Author: johnbillion

src/wp-admin/includes/class-walker-nav-menu-checklist.php

@@ -103,15 +103,15 @@ public function start_el( &$output, $item, $depth = 0, $args = array(), $id = 0
 
 		// Menu item hidden fields
 		$output .= '<input type="hidden" class="menu-item-db-id" name="menu-item[' . $possible_object_id . '][menu-item-db-id]" value="' . $possible_db_id . '" />';
-		$output .= '<input type="hidden" class="menu-item-object" name="menu-item[' . $possible_object_id . '][menu-item-object]" value="'. esc_attr( $item->object ) .'" />';
-		$output .= '<input type="hidden" class="menu-item-parent-id" name="menu-item[' . $possible_object_id . '][menu-item-parent-id]" value="'. esc_attr( $item->menu_item_parent ) .'" />';
-		$output .= '<input type="hidden" class="menu-item-type" name="menu-item[' . $possible_object_id . '][menu-item-type]" value="'. esc_attr( $item->type ) .'" />';
-		$output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="'. esc_attr( $item->title ) .'" />';
-		$output .= '<input type="hidden" class="menu-item-url" name="menu-item[' . $possible_object_id . '][menu-item-url]" value="'. esc_attr( $item->url ) .'" />';
-		$output .= '<input type="hidden" class="menu-item-target" name="menu-item[' . $possible_object_id . '][menu-item-target]" value="'. esc_attr( $item->target ) .'" />';
-		$output .= '<input type="hidden" class="menu-item-attr_title" name="menu-item[' . $possible_object_id . '][menu-item-attr_title]" value="'. esc_attr( $item->attr_title ) .'" />';
-		$output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="'. esc_attr( implode( ' ', $item->classes ) ) .'" />';
-		$output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="'. esc_attr( $item->xfn ) .'" />';
+		$output .= '<input type="hidden" class="menu-item-object" name="menu-item[' . $possible_object_id . '][menu-item-object]" value="' . esc_attr( $item->object ) . '" />';
+		$output .= '<input type="hidden" class="menu-item-parent-id" name="menu-item[' . $possible_object_id . '][menu-item-parent-id]" value="' . esc_attr( $item->menu_item_parent ) . '" />';
+		$output .= '<input type="hidden" class="menu-item-type" name="menu-item[' . $possible_object_id . '][menu-item-type]" value="' . esc_attr( $item->type ) . '" />';
+		$output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . htmlspecialchars( $item->title, ENT_QUOTES ) . '" />';
+		$output .= '<input type="hidden" class="menu-item-url" name="menu-item[' . $possible_object_id . '][menu-item-url]" value="' . esc_attr( $item->url ) . '" />';
+		$output .= '<input type="hidden" class="menu-item-target" name="menu-item[' . $possible_object_id . '][menu-item-target]" value="' . esc_attr( $item->target ) . '" />';
+		$output .= '<input type="hidden" class="menu-item-attr_title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . htmlspecialchars( $item->attr_title, ENT_QUOTES ) . '" />';
+		$output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . htmlspecialchars( implode( ' ', $item->classes ), ENT_QUOTES ) . '" />';
+		$output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . htmlspecialchars( $item->xfn, ENT_QUOTES ) . '" />';
 	}
 
 } // Walker_Nav_Menu_Checklist

src/wp-admin/includes/class-walker-nav-menu-edit.php

@@ -162,13 +162,13 @@ public function start_el( &$output, $item, $depth = 0, $args = array(), $id = 0
 				<p class="description description-wide">
 					<label for="edit-menu-item-title-<?php echo $item_id; ?>">
 						<?php _e( 'Navigation Label' ); ?><br />
-						<input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->title ); ?>" />
+						<input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->title, ENT_QUOTES ); ?>" />
 					</label>
 				</p>
 				<p class="field-title-attribute field-attr-title description description-wide">
 					<label for="edit-menu-item-attr-title-<?php echo $item_id; ?>">
 						<?php _e( 'Title Attribute' ); ?><br />
-						<input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->post_excerpt ); ?>" />
+						<input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->post_excerpt, ENT_QUOTES ); ?>" />
 					</label>
 				</p>
 				<p class="field-link-target description">
@@ -180,13 +180,13 @@ public function start_el( &$output, $item, $depth = 0, $args = array(), $id = 0
 				<p class="field-css-classes description description-thin">
 					<label for="edit-menu-item-classes-<?php echo $item_id; ?>">
 						<?php _e( 'CSS Classes (optional)' ); ?><br />
-						<input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo esc_attr( implode(' ', $item->classes ) ); ?>" />
+						<input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( implode( ' ', $item->classes ), ENT_QUOTES ); ?>" />
 					</label>
 				</p>
 				<p class="field-xfn description description-thin">
 					<label for="edit-menu-item-xfn-<?php echo $item_id; ?>">
 						<?php _e( 'Link Relationship (XFN)' ); ?><br />
-						<input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $item->xfn ); ?>" />
+						<input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $item->xfn, ENT_QUOTES ); ?>" />
 					</label>
 				</p>
 				<p class="field-description description description-wide">

src/wp-admin/includes/file.php

@@ -763,6 +763,11 @@ function _unzip_file_pclzip($file, $to, $needed_dirs = array()) {
 		if ( '__MACOSX/' === substr($file['filename'], 0, 9) ) // Skip the OS X-created __MACOSX directory
 			continue;
 
+		// Don't extract invalid files:
+		if ( 0 !== validate_file( $file['filename'] ) ) {
+			continue;
+		}
+
 		$uncompressed_size += $file['size'];
 
 		$needed_dirs[] = $to . untrailingslashit( $file['folder'] ? $file['filename'] : dirname($file['filename']) );

src/wp-includes/ID3/getid3.lib.php

@@ -523,7 +523,7 @@ public static function XML2array($XMLstring) {
 			// http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
 			// https://core.trac.wordpress.org/changeset/29378
 			$loader = libxml_disable_entity_loader(true);
-			$XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT);
+			$XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', 0);
 			$return = self::SimpleXMLelement2array($XMLobject);
 			libxml_disable_entity_loader($loader);
 			return $return;

src/wp-includes/class-wp-http-ixr-client.php

@@ -86,7 +86,7 @@ public function query() {
 			echo '<pre class="ixr_request">' . htmlspecialchars($xml) . "\n</pre>\n\n";
 		}
 
-		$response = wp_remote_post($url, $args);
+		$response = wp_safe_remote_post( $url, $args );
 
 		if ( is_wp_error($response) ) {
 			$errno    = $response->get_error_code();

src/wp-includes/js/wp-util.js

@@ -30,7 +30,11 @@ window.wp = window.wp || {};
 			};
 
 		return function ( data ) {
-			compiled = compiled || _.template( $( '#tmpl-' + id ).html(),  options );
+			var el = document.querySelector( 'script#tmpl-' + id );
+			if ( ! el ) {
+				throw new Error( 'Template not found: ' + '#tmpl-' + id );
+			}
+			compiled = compiled || _.template( $( el ).html(), options );
 			return compiled( data );
 		};
 	});

src/wp-includes/kses.php

@@ -540,7 +540,7 @@ function wp_kses_one_attr( $string, $element ) {
 	$allowed_html = wp_kses_allowed_html( 'post' );
 	$allowed_protocols = wp_allowed_protocols();
 	$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
-	
+
 	// Preserve leading and trailing whitespace.
 	$matches = array();
 	preg_match('/^\s*/', $string, $matches);
@@ -552,7 +552,7 @@ function wp_kses_one_attr( $string, $element ) {
 	} else {
 		$string = substr( $string, strlen( $lead ), -strlen( $trail ) );
 	}
-	
+
 	// Parse attribute name and value from input.
 	$split = preg_split( '/\s*=\s*/', $string, 2 );
 	$name = $split[0];
@@ -589,7 +589,7 @@ function wp_kses_one_attr( $string, $element ) {
 		$value = '';
 		$vless = 'y';
 	}
-	
+
 	// Sanitize attribute by name.
 	wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );
 
@@ -1124,7 +1124,7 @@ function wp_kses_attr_parse( $element ) {
 	} else {
 		$xhtml_slash = '';
 	}
-	
+
 	// Split it
 	$attrarr = wp_kses_hair_parse( $attr );
 	if ( false === $attrarr ) {
@@ -1134,7 +1134,7 @@ function wp_kses_attr_parse( $element ) {
 	// Make sure all input is returned by adding front and back matter.
 	array_unshift( $attrarr, $begin . $slash . $elname );
 	array_push( $attrarr, $xhtml_slash . $end );
-	
+
 	return $attrarr;
 }
 
@@ -1449,10 +1449,9 @@ function wp_kses_normalize_entities($string) {
 	// Disarm all entities by converting & to &
 	$string = str_replace('&', '&', $string);
 
-	// Change back the allowed entities in our entity whitelist
-	$string = preg_replace_callback('/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string);
-	$string = preg_replace_callback('/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string);
-	$string = preg_replace_callback('/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string);
+	$string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string );
+	$string = preg_replace_callback( '/&#(0*+[1-9][0-9]{0,6});/', 'wp_kses_normalize_entities2', $string );
+	$string = preg_replace_callback( '/&#[Xx](0*+[1-9A-Fa-f][0-9A-Fa-f]{0,5});/', 'wp_kses_normalize_entities3', $string );
 
 	return $string;
 }

src/wp-includes/media.php

@@ -3150,14 +3150,14 @@ function wp_prepare_attachment_for_js( $attachment ) {
 		$post_parent = false;
 	}
 
-	if ( $post_parent ) {
+	if ( $post_parent && current_user_can( 'read_post', $attachment->post_parent ) ) {
 		$parent_type = get_post_type_object( $post_parent->post_type );
 
 		if ( $parent_type && $parent_type->show_ui && current_user_can( 'edit_post', $attachment->post_parent ) ) {
 			$response['uploadedToLink'] = get_edit_post_link( $attachment->post_parent, 'raw' );
 		}
 
-		if ( $parent_type && current_user_can( 'read_post', $attachment->post_parent ) ) {
+		if ( $parent_type ) {
 			$response['uploadedToTitle'] = $post_parent->post_title ? $post_parent->post_title : __( '(no title)' );
 		}
 	}

src/wp-includes/nav-menu.php

@@ -434,8 +434,9 @@ function wp_update_nav_menu_item( $menu_id = 0, $menu_item_db_id = 0, $menu_item
 			}
 		}
 
-		if ( $args['menu-item-title'] == $original_title )
+		if ( wp_unslash( $args['menu-item-title'] ) === $original_title ) {
 			$args['menu-item-title'] = '';
+		}
 
 		// hack to get wp to create a post object when too many properties are empty
 		if ( '' ==  $args['menu-item-title'] && '' == $args['menu-item-description'] )

src/wp-includes/template-loader.php

@@ -70,8 +70,16 @@
 	 *
 	 * @param string $template The path of the template to include.
 	 */
-	if ( $template = apply_filters( 'template_include', $template ) ) {
-		include( $template );
+	$template   = apply_filters( 'template_include', $template );
+	$is_stringy = is_string( $template ) || ( is_object( $template ) && method_exists( $template, '__toString' ) );
+	$template   = $is_stringy ? realpath( (string) $template ) : null;
+	if (
+		is_string( $template ) &&
+		( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) &&
+		is_file( $template ) &&
+		is_readable( $template )
+	) {
+		include $template;
 	} elseif ( current_user_can( 'switch_themes' ) ) {
 		$theme = wp_get_theme();
 		if ( $theme->errors() ) {