Issues in menu.php (ticket-41057) - Issues in ticket-41057 - ntwb/wordpress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4967)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/wp-admin/menu.php (1 issue)

Labels

Bug 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Build Administration Menu.
 *
 * @package WordPress
 * @subpackage Administration
 */

/**
 * Constructs the admin menu.
 *
 * The elements in the array are :
 *     0: Menu item name
 *     1: Minimum level or capability required.
 *     2: The URL of the item's file
 *     3: Class
 *     4: ID
 *     5: Icon for top level menu
 *
 * @global array $menu
 */

$menu[2] = array( __('Dashboard'), 'read', 'index.php', '', 'menu-top menu-top-first menu-icon-dashboard', 'menu-dashboard', 'dashicons-dashboard' );

$submenu[ 'index.php' ][0] = array( __('Home'), 'read', 'index.php' );

if ( is_multisite() ) {
	$submenu[ 'index.php' ][5] = array( __('My Sites'), 'read', 'my-sites.php' );
}

if ( ! is_multisite() || current_user_can( 'update_core' ) ) {
	$update_data = wp_get_update_data();
}

if ( ! is_multisite() ) {
	if ( current_user_can( 'update_core' ) )
		$cap = 'update_core';
	elseif ( current_user_can( 'update_plugins' ) )
		$cap = 'update_plugins';
	else
		$cap = 'update_themes';
	$submenu[ 'index.php' ][10] = array( sprintf( __('Updates %s'), "<span class='update-plugins count-{$update_data['counts']['total']}'><span class='update-count'>" . number_format_i18n($update_data['counts']['total']) . "</span></span>" ), $cap, 'update-core.php');
	unset( $cap );
}

$menu[4] = array( '', 'read', 'separator1', '', 'wp-menu-separator' );

// $menu[5] = Posts

$menu[10] = array( __('Media'), 'upload_files', 'upload.php', '', 'menu-top menu-icon-media', 'menu-media', 'dashicons-admin-media' );
	$submenu['upload.php'][5] = array( __('Library'), 'upload_files', 'upload.php');
	/* translators: add new file */
	$submenu['upload.php'][10] = array( _x('Add New', 'file'), 'upload_files', 'media-new.php');
	$i = 15;
	foreach ( get_taxonomies_for_attachments( 'objects' ) as $tax ) {
		if ( ! $tax->show_ui || ! $tax->show_in_menu )
			continue;

		$submenu['upload.php'][$i++] = array( esc_attr( $tax->labels->menu_name ), $tax->cap->manage_terms, 'edit-tags.php?taxonomy=' . $tax->name . '&amp;post_type=attachment' );
	}
	unset( $tax, $i );

$menu[15] = array( __('Links'), 'manage_links', 'link-manager.php', '', 'menu-top menu-icon-links', 'menu-links', 'dashicons-admin-links' );
	$submenu['link-manager.php'][5] = array( _x('All Links', 'admin menu'), 'manage_links', 'link-manager.php' );
	/* translators: add new links */
	$submenu['link-manager.php'][10] = array( _x('Add New', 'link'), 'manage_links', 'link-add.php' );
	$submenu['link-manager.php'][15] = array( __('Link Categories'), 'manage_categories', 'edit-tags.php?taxonomy=link_category' );

// $menu[20] = Pages

// Avoid the comment count query for users who cannot edit_posts.
if ( current_user_can( 'edit_posts' ) ) {
	$awaiting_mod = wp_count_comments();
	$awaiting_mod = $awaiting_mod->moderated;
	$menu[25] = array(
		sprintf( __( 'Comments %s' ), '<span class="awaiting-mod count-' . absint( $awaiting_mod ) . '"><span class="pending-count">' . number_format_i18n( $awaiting_mod ) . '</span></span>' ),
		'edit_posts',
		'edit-comments.php',
		'',
		'menu-top menu-icon-comments',
		'menu-comments',
		'dashicons-admin-comments',
	);
	unset( $awaiting_mod );
}

$submenu[ 'edit-comments.php' ][0] = array( __('All Comments'), 'edit_posts', 'edit-comments.php' );

$_wp_last_object_menu = 25; // The index of the last top-level menu in the object menu group

$types = (array) get_post_types( array('show_ui' => true, '_builtin' => false, 'show_in_menu' => true ) );
$builtin = array( 'post', 'page' );
foreach ( array_merge( $builtin, $types ) as $ptype ) {
	$ptype_obj = get_post_type_object( $ptype );
	// Check if it should be a submenu.
	if ( $ptype_obj->show_in_menu !== true )
		continue;
	$ptype_menu_position = is_int( $ptype_obj->menu_position ) ? $ptype_obj->menu_position : ++$_wp_last_object_menu; // If we're to use $_wp_last_object_menu, increment it first.
	$ptype_for_id = sanitize_html_class( $ptype );

	$menu_icon = 'dashicons-admin-post';
	if ( is_string( $ptype_obj->menu_icon ) ) {
		// Special handling for data:image/svg+xml and Dashicons.
		if ( 0 === strpos( $ptype_obj->menu_icon, 'data:image/svg+xml;base64,' ) || 0 === strpos( $ptype_obj->menu_icon, 'dashicons-' ) ) {
			$menu_icon = $ptype_obj->menu_icon;
		} else {
			$menu_icon = esc_url( $ptype_obj->menu_icon );
		}
	} elseif ( in_array( $ptype, $builtin ) ) {
		$menu_icon = 'dashicons-admin-' . $ptype;
	}

	$menu_class = 'menu-top menu-icon-' . $ptype_for_id;
	// 'post' special case
	if ( 'post' === $ptype ) {
		$menu_class .= ' open-if-no-js';
		$ptype_file = "edit.php";
		$post_new_file = "post-new.php";
		$edit_tags_file = "edit-tags.php?taxonomy=%s";
	} else {
		$ptype_file = "edit.php?post_type=$ptype";
		$post_new_file = "post-new.php?post_type=$ptype";
		$edit_tags_file = "edit-tags.php?taxonomy=%s&amp;post_type=$ptype";
	}

	if ( in_array( $ptype, $builtin ) ) {
		$ptype_menu_id = 'menu-' . $ptype_for_id . 's';
	} else {
		$ptype_menu_id = 'menu-posts-' . $ptype_for_id;
	}
	/*
	 * If $ptype_menu_position is already populated or will be populated
	 * by a hard-coded value below, increment the position.
	 */
	$core_menu_positions = array(59, 60, 65, 70, 75, 80, 85, 99);
	while ( isset($menu[$ptype_menu_position]) || in_array($ptype_menu_position, $core_menu_positions) )
		$ptype_menu_position++;

	$menu[$ptype_menu_position] = array( esc_attr( $ptype_obj->labels->menu_name ), $ptype_obj->cap->edit_posts, $ptype_file, '', $menu_class, $ptype_menu_id, $menu_icon );
	$submenu[ $ptype_file ][5]  = array( $ptype_obj->labels->all_items, $ptype_obj->cap->edit_posts,  $ptype_file );
	$submenu[ $ptype_file ][10]  = array( $ptype_obj->labels->add_new, $ptype_obj->cap->create_posts, $post_new_file );

	$i = 15;
	foreach ( get_taxonomies( array(), 'objects' ) as $tax ) {
		if ( ! $tax->show_ui || ! $tax->show_in_menu || ! in_array($ptype, (array) $tax->object_type, true) )
			continue;

		$submenu[ $ptype_file ][$i++] = array( esc_attr( $tax->labels->menu_name ), $tax->cap->manage_terms, sprintf( $edit_tags_file, $tax->name ) );
	}
}
unset( $ptype, $ptype_obj, $ptype_for_id, $ptype_menu_position, $menu_icon, $i, $tax, $post_new_file );

$menu[59] = array( '', 'read', 'separator2', '', 'wp-menu-separator' );

$appearance_cap = current_user_can( 'switch_themes') ? 'switch_themes' : 'edit_theme_options';

$menu[60] = array( __( 'Appearance' ), $appearance_cap, 'themes.php', '', 'menu-top menu-icon-appearance', 'menu-appearance', 'dashicons-admin-appearance' );
	$submenu['themes.php'][5] = array( __( 'Themes' ), $appearance_cap, 'themes.php' );

	$customize_url = add_query_arg( 'return', urlencode( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ), 'customize.php' );

	$submenu['themes.php'][6] = array( __( 'Customize' ), 'customize', esc_url( $customize_url ), '', 'hide-if-no-customize' );

	if ( current_theme_supports( 'menus' ) || current_theme_supports( 'widgets' ) ) {
		$submenu['themes.php'][10] = array( __( 'Menus' ), 'edit_theme_options', 'nav-menus.php' );
	}

	if ( current_theme_supports( 'custom-header' ) && current_user_can( 'customize') ) {
		$customize_header_url = add_query_arg( array( 'autofocus' => array( 'control' => 'header_image' ) ), $customize_url );
		$submenu['themes.php'][15] = array( __( 'Header' ), $appearance_cap, esc_url( $customize_header_url ), '', 'hide-if-no-customize' );
	}

	if ( current_theme_supports( 'custom-background' ) && current_user_can( 'customize') ) {
		$customize_background_url = add_query_arg( array( 'autofocus' => array( 'control' => 'background_image' ) ), $customize_url );
		$submenu['themes.php'][20] = array( __( 'Background' ), $appearance_cap, esc_url( $customize_background_url ), '', 'hide-if-no-customize' );
	}

	unset( $customize_url );

unset( $appearance_cap );

// Add 'Editor' to the bottom of the Appearance menu.
if ( ! is_multisite() ) {
	add_action('admin_menu', '_add_themes_utility_last', 101);
}
/**
 * Adds the (theme) 'Editor' link to the bottom of the Appearance menu.
 *
 * @access private
 * @since 3.0.0
 */
function _add_themes_utility_last() {
	// Must use API on the admin_menu hook, direct modification is only possible on/before the _admin_menu hook
	add_submenu_page('themes.php', _x('Editor', 'theme editor'), _x('Editor', 'theme editor'), 'edit_themes', 'theme-editor.php');
}

$count = '';
if ( ! is_multisite() && current_user_can( 'update_plugins' ) ) {
	if ( ! isset( $update_data ) )
		$update_data = wp_get_update_data();
	$count = "<span class='update-plugins count-{$update_data['counts']['plugins']}'><span class='plugin-count'>" . number_format_i18n($update_data['counts']['plugins']) . "</span></span>";
}

$menu[65] = array( sprintf( __('Plugins %s'), $count ), 'activate_plugins', 'plugins.php', '', 'menu-top menu-icon-plugins', 'menu-plugins', 'dashicons-admin-plugins' );

$submenu['plugins.php'][5]  = array( __('Installed Plugins'), 'activate_plugins', 'plugins.php' );

	if ( ! is_multisite() ) {
		/* translators: add new plugin */
		$submenu['plugins.php'][10] = array( _x('Add New', 'plugin'), 'install_plugins', 'plugin-install.php' );
		$submenu['plugins.php'][15] = array( _x('Editor', 'plugin editor'), 'edit_plugins', 'plugin-editor.php' );
	}

unset( $update_data );

if ( current_user_can('list_users') )
	$menu[70] = array( __('Users'), 'list_users', 'users.php', '', 'menu-top menu-icon-users', 'menu-users', 'dashicons-admin-users' );
else
	$menu[70] = array( __('Profile'), 'read', 'profile.php', '', 'menu-top menu-icon-users', 'menu-users', 'dashicons-admin-users' );

if ( current_user_can('list_users') ) {
	$_wp_real_parent_file['profile.php'] = 'users.php'; // Back-compat for plugins adding submenus to profile.php.
	$submenu['users.php'][5] = array(__('All Users'), 'list_users', 'users.php');
	if ( current_user_can( 'create_users' ) ) {
		$submenu['users.php'][10] = array(_x('Add New', 'user'), 'create_users', 'user-new.php');
	} elseif ( is_multisite() ) {
		$submenu['users.php'][10] = array(_x('Add New', 'user'), 'promote_users', 'user-new.php');
	}

	$submenu['users.php'][15] = array(__('Your Profile'), 'read', 'profile.php');
} else {
	$_wp_real_parent_file['users.php'] = 'profile.php';
	$submenu['profile.php'][5] = array(__('Your Profile'), 'read', 'profile.php');
	if ( current_user_can( 'create_users' ) ) {
		$submenu['profile.php'][10] = array(__('Add New User'), 'create_users', 'user-new.php');
	} elseif ( is_multisite() ) {
		$submenu['profile.php'][10] = array(__('Add New User'), 'promote_users', 'user-new.php');
	}
}

$menu[75] = array( __('Tools'), 'edit_posts', 'tools.php', '', 'menu-top menu-icon-tools', 'menu-tools', 'dashicons-admin-tools' );
	$submenu['tools.php'][5] = array( __('Available Tools'), 'edit_posts', 'tools.php' );
	$submenu['tools.php'][10] = array( __('Import'), 'import', 'import.php' );
	$submenu['tools.php'][15] = array( __('Export'), 'export', 'export.php' );
	if ( is_multisite() && !is_main_site() )
		$submenu['tools.php'][25] = array( __('Delete Site'), 'delete_site', 'ms-delete-site.php' );
	if ( ! is_multisite() && defined('WP_ALLOW_MULTISITE') && WP_ALLOW_MULTISITE )
		$submenu['tools.php'][50] = array(__('Network Setup'), 'setup_network', 'network.php');

$menu[80] = array( __('Settings'), 'manage_options', 'options-general.php', '', 'menu-top menu-icon-settings', 'menu-settings', 'dashicons-admin-settings' );
	$submenu['options-general.php'][10] = array(_x('General', 'settings screen'), 'manage_options', 'options-general.php');
	$submenu['options-general.php'][15] = array(__('Writing'), 'manage_options', 'options-writing.php');
	$submenu['options-general.php'][20] = array(__('Reading'), 'manage_options', 'options-reading.php');
	$submenu['options-general.php'][25] = array(__('Discussion'), 'manage_options', 'options-discussion.php');
	$submenu['options-general.php'][30] = array(__('Media'), 'manage_options', 'options-media.php');
	$submenu['options-general.php'][40] = array(__('Permalinks'), 'manage_options', 'options-permalink.php');

$_wp_last_utility_menu = 80; // The index of the last top-level menu in the utility menu group

$menu[99] = array( '', 'read', 'separator-last', '', 'wp-menu-separator' );

// Back-compat for old top-levels
$_wp_real_parent_file['post.php'] = 'edit.php';
$_wp_real_parent_file['post-new.php'] = 'edit.php';
$_wp_real_parent_file['edit-pages.php'] = 'edit.php?post_type=page';
$_wp_real_parent_file['page-new.php'] = 'edit.php?post_type=page';
$_wp_real_parent_file['wpmu-admin.php'] = 'tools.php';
$_wp_real_parent_file['ms-admin.php'] = 'tools.php';

// Ensure backward compatibility.
$compat = array(
	'index' => 'dashboard',
	'edit' => 'posts',
	'post' => 'posts',
	'upload' => 'media',
	'link-manager' => 'links',
	'edit-pages' => 'pages',
	'page' => 'pages',
	'edit-comments' => 'comments',
	'options-general' => 'settings',
	'themes' => 'appearance',
	);

require_once(ABSPATH . 'wp-admin/includes/menu.php');


1		<?php
2		/**
3		* Build Administration Menu.
4		*
5		* @package WordPress
6		* @subpackage Administration
7		*/
8
9		/**
10		* Constructs the admin menu.
11		*
12		* The elements in the array are :
13		* 0: Menu item name
14		* 1: Minimum level or capability required.
15		* 2: The URL of the item's file
16		* 3: Class
17		* 4: ID
18		* 5: Icon for top level menu
19		*
20		* @global array $menu
21		*/
22
23		$menu[2] = array( __('Dashboard'), 'read', 'index.php', '', 'menu-top menu-top-first menu-icon-dashboard', 'menu-dashboard', 'dashicons-dashboard' );
24
25		$submenu[ 'index.php' ][0] = array( __('Home'), 'read', 'index.php' );
26
27		if ( is_multisite() ) {
28		$submenu[ 'index.php' ][5] = array( __('My Sites'), 'read', 'my-sites.php' );
29		}
30
31		if ( ! is_multisite() \|\| current_user_can( 'update_core' ) ) {
32		$update_data = wp_get_update_data();
33		}
34
35		if ( ! is_multisite() ) {
36		if ( current_user_can( 'update_core' ) )
37		$cap = 'update_core';
38		elseif ( current_user_can( 'update_plugins' ) )
39		$cap = 'update_plugins';
40		else
41		$cap = 'update_themes';
42		$submenu[ 'index.php' ][10] = array( sprintf( __('Updates %s'), "<span class='update-plugins count-{$update_data['counts']['total']}'><span class='update-count'>" . number_format_i18n($update_data['counts']['total']) . "</span></span>" ), $cap, 'update-core.php');
43		unset( $cap );
44		}
45
46		$menu[4] = array( '', 'read', 'separator1', '', 'wp-menu-separator' );
47
48		// $menu[5] = Posts
49
50		$menu[10] = array( __('Media'), 'upload_files', 'upload.php', '', 'menu-top menu-icon-media', 'menu-media', 'dashicons-admin-media' );
51		$submenu['upload.php'][5] = array( __('Library'), 'upload_files', 'upload.php');
52		/* translators: add new file */
53		$submenu['upload.php'][10] = array( _x('Add New', 'file'), 'upload_files', 'media-new.php');
54		$i = 15;
55		foreach ( get_taxonomies_for_attachments( 'objects' ) as $tax ) {
56		if ( ! $tax->show_ui \|\| ! $tax->show_in_menu )
57		continue;
58
59		$submenu['upload.php'][$i++] = array( esc_attr( $tax->labels->menu_name ), $tax->cap->manage_terms, 'edit-tags.php?taxonomy=' . $tax->name . '&post_type=attachment' );
60		}
61		unset( $tax, $i );
62
63		$menu[15] = array( __('Links'), 'manage_links', 'link-manager.php', '', 'menu-top menu-icon-links', 'menu-links', 'dashicons-admin-links' );
64		$submenu['link-manager.php'][5] = array( _x('All Links', 'admin menu'), 'manage_links', 'link-manager.php' );
65		/* translators: add new links */
66		$submenu['link-manager.php'][10] = array( _x('Add New', 'link'), 'manage_links', 'link-add.php' );
67		$submenu['link-manager.php'][15] = array( __('Link Categories'), 'manage_categories', 'edit-tags.php?taxonomy=link_category' );
68
69		// $menu[20] = Pages
70
71		// Avoid the comment count query for users who cannot edit_posts.
72		if ( current_user_can( 'edit_posts' ) ) {
73		$awaiting_mod = wp_count_comments();
74		$awaiting_mod = $awaiting_mod->moderated;
75		$menu[25] = array(
76		sprintf( __( 'Comments %s' ), '<span class="awaiting-mod count-' . absint( $awaiting_mod ) . '"><span class="pending-count">' . number_format_i18n( $awaiting_mod ) . '</span></span>' ),
77		'edit_posts',
78		'edit-comments.php',
79		'',
80		'menu-top menu-icon-comments',
81		'menu-comments',
82		'dashicons-admin-comments',
83		);
84		unset( $awaiting_mod );
85		}
86
87		$submenu[ 'edit-comments.php' ][0] = array( __('All Comments'), 'edit_posts', 'edit-comments.php' );
88
89		$_wp_last_object_menu = 25; // The index of the last top-level menu in the object menu group
90
91		$types = (array) get_post_types( array('show_ui' => true, '_builtin' => false, 'show_in_menu' => true ) );
92		$builtin = array( 'post', 'page' );
93		foreach ( array_merge( $builtin, $types ) as $ptype ) {
94		$ptype_obj = get_post_type_object( $ptype );
95		// Check if it should be a submenu.
96		if ( $ptype_obj->show_in_menu !== true )
97		continue;
98		$ptype_menu_position = is_int( $ptype_obj->menu_position ) ? $ptype_obj->menu_position : ++$_wp_last_object_menu; // If we're to use $_wp_last_object_menu, increment it first.
99		$ptype_for_id = sanitize_html_class( $ptype );
100
101		$menu_icon = 'dashicons-admin-post';
102		if ( is_string( $ptype_obj->menu_icon ) ) {
103		// Special handling for data:image/svg+xml and Dashicons.
104		if ( 0 === strpos( $ptype_obj->menu_icon, 'data:image/svg+xml;base64,' ) \|\| 0 === strpos( $ptype_obj->menu_icon, 'dashicons-' ) ) {
105		$menu_icon = $ptype_obj->menu_icon;
106		} else {
107		$menu_icon = esc_url( $ptype_obj->menu_icon );
108		}
109		} elseif ( in_array( $ptype, $builtin ) ) {
110		$menu_icon = 'dashicons-admin-' . $ptype;
111		}
112
113		$menu_class = 'menu-top menu-icon-' . $ptype_for_id;
114		// 'post' special case
115		if ( 'post' === $ptype ) {
116		$menu_class .= ' open-if-no-js';
117		$ptype_file = "edit.php";
118		$post_new_file = "post-new.php";
119		$edit_tags_file = "edit-tags.php?taxonomy=%s";
120		} else {
121		$ptype_file = "edit.php?post_type=$ptype";
122		$post_new_file = "post-new.php?post_type=$ptype";
123		$edit_tags_file = "edit-tags.php?taxonomy=%s&post_type=$ptype";
124		}
125
126		if ( in_array( $ptype, $builtin ) ) {
127		$ptype_menu_id = 'menu-' . $ptype_for_id . 's';
128		} else {
129		$ptype_menu_id = 'menu-posts-' . $ptype_for_id;
130		}
131		/*
132		* If $ptype_menu_position is already populated or will be populated
133		* by a hard-coded value below, increment the position.
134		*/
135		$core_menu_positions = array(59, 60, 65, 70, 75, 80, 85, 99);
136		while ( isset($menu[$ptype_menu_position]) \|\| in_array($ptype_menu_position, $core_menu_positions) )
137		$ptype_menu_position++;
138
139		$menu[$ptype_menu_position] = array( esc_attr( $ptype_obj->labels->menu_name ), $ptype_obj->cap->edit_posts, $ptype_file, '', $menu_class, $ptype_menu_id, $menu_icon );
140		$submenu[ $ptype_file ][5] = array( $ptype_obj->labels->all_items, $ptype_obj->cap->edit_posts, $ptype_file );
141		$submenu[ $ptype_file ][10] = array( $ptype_obj->labels->add_new, $ptype_obj->cap->create_posts, $post_new_file );
142
143		$i = 15;
144		foreach ( get_taxonomies( array(), 'objects' ) as $tax ) {
145		if ( ! $tax->show_ui \|\| ! $tax->show_in_menu \|\| ! in_array($ptype, (array) $tax->object_type, true) )
146		continue;
147
148		$submenu[ $ptype_file ][$i++] = array( esc_attr( $tax->labels->menu_name ), $tax->cap->manage_terms, sprintf( $edit_tags_file, $tax->name ) );
149		}
150		}
151		unset( $ptype, $ptype_obj, $ptype_for_id, $ptype_menu_position, $menu_icon, $i, $tax, $post_new_file );
152
153		$menu[59] = array( '', 'read', 'separator2', '', 'wp-menu-separator' );
154
155		$appearance_cap = current_user_can( 'switch_themes') ? 'switch_themes' : 'edit_theme_options';
156
157		$menu[60] = array( __( 'Appearance' ), $appearance_cap, 'themes.php', '', 'menu-top menu-icon-appearance', 'menu-appearance', 'dashicons-admin-appearance' );
158		$submenu['themes.php'][5] = array( __( 'Themes' ), $appearance_cap, 'themes.php' );
159
160		$customize_url = add_query_arg( 'return', urlencode( remove_query_arg( wp_removable_query_args(), wp_unslash( $_SERVER['REQUEST_URI'] ) ) ), 'customize.php' );
		0 ignored issues – show Bug introduced 2017-06-20 00:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `wp_unslash($_SERVER['REQUEST_URI'])` targeting `wp_unslash()` can also be of type `array`; however, `remove_query_arg()` does only seem to accept `boolean\|string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
161		$submenu['themes.php'][6] = array( __( 'Customize' ), 'customize', esc_url( $customize_url ), '', 'hide-if-no-customize' );
162
163		if ( current_theme_supports( 'menus' ) \|\| current_theme_supports( 'widgets' ) ) {
164		$submenu['themes.php'][10] = array( __( 'Menus' ), 'edit_theme_options', 'nav-menus.php' );
165		}
166
167	View Code Duplication	if ( current_theme_supports( 'custom-header' ) && current_user_can( 'customize') ) {
168		$customize_header_url = add_query_arg( array( 'autofocus' => array( 'control' => 'header_image' ) ), $customize_url );
169		$submenu['themes.php'][15] = array( __( 'Header' ), $appearance_cap, esc_url( $customize_header_url ), '', 'hide-if-no-customize' );
170		}
171
172	View Code Duplication	if ( current_theme_supports( 'custom-background' ) && current_user_can( 'customize') ) {
173		$customize_background_url = add_query_arg( array( 'autofocus' => array( 'control' => 'background_image' ) ), $customize_url );
174		$submenu['themes.php'][20] = array( __( 'Background' ), $appearance_cap, esc_url( $customize_background_url ), '', 'hide-if-no-customize' );
175		}
176
177		unset( $customize_url );
178
179		unset( $appearance_cap );
180
181		// Add 'Editor' to the bottom of the Appearance menu.
182		if ( ! is_multisite() ) {
183		add_action('admin_menu', '_add_themes_utility_last', 101);
184		}
185		/**
186		* Adds the (theme) 'Editor' link to the bottom of the Appearance menu.
187		*
188		* @access private
189		* @since 3.0.0
190		*/
191		function _add_themes_utility_last() {
192		// Must use API on the admin_menu hook, direct modification is only possible on/before the _admin_menu hook
193		add_submenu_page('themes.php', _x('Editor', 'theme editor'), _x('Editor', 'theme editor'), 'edit_themes', 'theme-editor.php');
194		}
195
196		$count = '';
197		if ( ! is_multisite() && current_user_can( 'update_plugins' ) ) {
198		if ( ! isset( $update_data ) )
199		$update_data = wp_get_update_data();
200		$count = "<span class='update-plugins count-{$update_data['counts']['plugins']}'><span class='plugin-count'>" . number_format_i18n($update_data['counts']['plugins']) . "</span></span>";
201		}
202
203		$menu[65] = array( sprintf( __('Plugins %s'), $count ), 'activate_plugins', 'plugins.php', '', 'menu-top menu-icon-plugins', 'menu-plugins', 'dashicons-admin-plugins' );
204
205		$submenu['plugins.php'][5] = array( __('Installed Plugins'), 'activate_plugins', 'plugins.php' );
206
207		if ( ! is_multisite() ) {
208		/* translators: add new plugin */
209		$submenu['plugins.php'][10] = array( _x('Add New', 'plugin'), 'install_plugins', 'plugin-install.php' );
210		$submenu['plugins.php'][15] = array( _x('Editor', 'plugin editor'), 'edit_plugins', 'plugin-editor.php' );
211		}
212
213		unset( $update_data );
214
215		if ( current_user_can('list_users') )
216		$menu[70] = array( __('Users'), 'list_users', 'users.php', '', 'menu-top menu-icon-users', 'menu-users', 'dashicons-admin-users' );
217		else
218		$menu[70] = array( __('Profile'), 'read', 'profile.php', '', 'menu-top menu-icon-users', 'menu-users', 'dashicons-admin-users' );
219
220		if ( current_user_can('list_users') ) {
221		$_wp_real_parent_file['profile.php'] = 'users.php'; // Back-compat for plugins adding submenus to profile.php.
222		$submenu['users.php'][5] = array(__('All Users'), 'list_users', 'users.php');
223	View Code Duplication	if ( current_user_can( 'create_users' ) ) {
224		$submenu['users.php'][10] = array(_x('Add New', 'user'), 'create_users', 'user-new.php');
225		} elseif ( is_multisite() ) {
226		$submenu['users.php'][10] = array(_x('Add New', 'user'), 'promote_users', 'user-new.php');
227		}
228
229		$submenu['users.php'][15] = array(__('Your Profile'), 'read', 'profile.php');
230		} else {
231		$_wp_real_parent_file['users.php'] = 'profile.php';
232		$submenu['profile.php'][5] = array(__('Your Profile'), 'read', 'profile.php');
233	View Code Duplication	if ( current_user_can( 'create_users' ) ) {
234		$submenu['profile.php'][10] = array(__('Add New User'), 'create_users', 'user-new.php');
235		} elseif ( is_multisite() ) {
236		$submenu['profile.php'][10] = array(__('Add New User'), 'promote_users', 'user-new.php');
237		}
238		}
239
240		$menu[75] = array( __('Tools'), 'edit_posts', 'tools.php', '', 'menu-top menu-icon-tools', 'menu-tools', 'dashicons-admin-tools' );
241		$submenu['tools.php'][5] = array( __('Available Tools'), 'edit_posts', 'tools.php' );
242		$submenu['tools.php'][10] = array( __('Import'), 'import', 'import.php' );
243		$submenu['tools.php'][15] = array( __('Export'), 'export', 'export.php' );
244		if ( is_multisite() && !is_main_site() )
245		$submenu['tools.php'][25] = array( __('Delete Site'), 'delete_site', 'ms-delete-site.php' );
246		if ( ! is_multisite() && defined('WP_ALLOW_MULTISITE') && WP_ALLOW_MULTISITE )
247		$submenu['tools.php'][50] = array(__('Network Setup'), 'setup_network', 'network.php');
248
249		$menu[80] = array( __('Settings'), 'manage_options', 'options-general.php', '', 'menu-top menu-icon-settings', 'menu-settings', 'dashicons-admin-settings' );
250		$submenu['options-general.php'][10] = array(_x('General', 'settings screen'), 'manage_options', 'options-general.php');
251		$submenu['options-general.php'][15] = array(__('Writing'), 'manage_options', 'options-writing.php');
252		$submenu['options-general.php'][20] = array(__('Reading'), 'manage_options', 'options-reading.php');
253		$submenu['options-general.php'][25] = array(__('Discussion'), 'manage_options', 'options-discussion.php');
254		$submenu['options-general.php'][30] = array(__('Media'), 'manage_options', 'options-media.php');
255		$submenu['options-general.php'][40] = array(__('Permalinks'), 'manage_options', 'options-permalink.php');
256
257		$_wp_last_utility_menu = 80; // The index of the last top-level menu in the utility menu group
258
259		$menu[99] = array( '', 'read', 'separator-last', '', 'wp-menu-separator' );
260
261		// Back-compat for old top-levels
262		$_wp_real_parent_file['post.php'] = 'edit.php';
263		$_wp_real_parent_file['post-new.php'] = 'edit.php';
264		$_wp_real_parent_file['edit-pages.php'] = 'edit.php?post_type=page';
265		$_wp_real_parent_file['page-new.php'] = 'edit.php?post_type=page';
266		$_wp_real_parent_file['wpmu-admin.php'] = 'tools.php';
267		$_wp_real_parent_file['ms-admin.php'] = 'tools.php';
268
269		// Ensure backward compatibility.
270		$compat = array(
271		'index' => 'dashboard',
272		'edit' => 'posts',
273		'post' => 'posts',
274		'upload' => 'media',
275		'link-manager' => 'links',
276		'edit-pages' => 'pages',
277		'page' => 'pages',
278		'edit-comments' => 'comments',
279		'options-general' => 'settings',
280		'themes' => 'appearance',
281		);
282
283		require_once(ABSPATH . 'wp-admin/includes/menu.php');
284

ntwb / wordpress

Issues (4967)

Security Analysis not enabled

src/wp-admin/menu.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like