case 'update':
+ check_admin_referer('edit-file_' . $file);
+
if ( ! current_user_can('edit_files') )
die('<p>'.__('You have do not have sufficient permissions to edit templates for this blog.').'</p>');
if ( $f ) {
fwrite($f, $newcontent);
fclose($f);
- header("Location: templates.php?file=$file&a=te");
+ wp_redirect("templates.php?file=$file&a=te");
} else {
- header("Location: templates.php?file=$file&a=err");
+ wp_redirect("templates.php?file=$file&a=err");
}
} else {
- header("Location: templates.php?file=$file&a=err");
+ wp_redirect("templates.php?file=$file&a=err");
}
exit();
update_recently_edited($file);
- if (!is_file($real_file))
+ if ( !is_file($real_file) ) {
$error = true;
-
- if (!$error) {
+ } else {
$f = @ fopen($real_file, 'r');
if ( $f ) {
- $content = fread($f, filesize($real_file));
- $content = htmlspecialchars($content);
+ if ( filesize($real_file ) > 0 ) {
+ $content = fread($f, filesize($real_file));
+ $content = htmlspecialchars($content);
+ } else {
+ $content = '';
+ }
} else {
$error = true;
}
<?php
echo '<ol>';
foreach ($recents as $recent) :
- echo "<li><a href='templates.php?file=$recent'>" . get_file_description(basename($recent)) . "</a></li>";
+ echo "<li><a href='templates.php?file=" . attribute_escape($recent) . "'>" . wp_specialchars(get_file_description(basename($recent))) . "</a></li>";
endforeach;
echo '</ol>';
endif;
</div>
<?php if (!$error) { ?>
<form name="template" id="template" action="templates.php" method="post">
+ <?php wp_nonce_field('edit-file_' . $file) ?>
<div><textarea cols="70" rows="25" name="newcontent" id='newcontent' tabindex="1"><?php echo $content ?></textarea>
<input type="hidden" name="action" value="update" />
<input type="hidden" name="file" value="<?php echo $file ?>" />