case 'update':
+ check_admin_referer('edit-theme_' . $file . $theme);
+
if ( !current_user_can('edit_themes') )
die('<p>'.__('You have do not have sufficient permissions to edit templates for this blog.').'</p>');
$f = fopen($real_file, 'w+');
fwrite($f, $newcontent);
fclose($f);
- header("Location: theme-editor.php?file=$file&theme=$theme&a=te");
+ $location = "theme-editor.php?file=$file&theme=$theme&a=te";
} else {
- header("Location: theme-editor.php?file=$file&theme=$theme");
+ $location = "theme-editor.php?file=$file&theme=$theme";
}
+ $location = wp_kses_no_null($location);
+ $strip = array('%0d', '%0a');
+ $location = str_replace($strip, '', $location);
+ header("Location: $location");
exit();
break;
$theme_name = $a_theme['Name'];
if ($theme_name == $theme) $selected = " selected='selected'";
else $selected = '';
- $theme_name = wp_specialchars($theme_name, true);
+ $theme_name = attribute_escape($theme_name);
echo "\n\t<option value=\"$theme_name\" $selected>$theme_name</option>";
}
?>
if (!$error) {
?>
<form name="template" id="template" action="theme-editor.php" method="post">
+ <?php wp_nonce_field('edit-theme_' . $file . $theme) ?>
<div><textarea cols="70" rows="25" name="newcontent" id="newcontent" tabindex="1"><?php echo $content ?></textarea>
<input type="hidden" name="action" value="update" />
<input type="hidden" name="file" value="<?php echo $file ?>" />