Issues in theme-install.php (ticket-41057) - Issues in ticket-41057 - ntwb/wordpress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4967)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/wp-admin/theme-install.php (1 issue)

Labels

Bug 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Install theme administration panel.
 *
 * @package WordPress
 * @subpackage Administration
 */

/** WordPress Administration Bootstrap */
require_once( dirname( __FILE__ ) . '/admin.php' );
require( ABSPATH . 'wp-admin/includes/theme-install.php' );

wp_reset_vars( array( 'tab' ) );

if ( ! current_user_can('install_themes') )
	wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) );

if ( is_multisite() && ! is_network_admin() ) {
	wp_redirect( network_admin_url( 'theme-install.php' ) );
	exit();
}

$title = __( 'Add Themes' );
$parent_file = 'themes.php';

if ( ! is_network_admin() ) {
	$submenu_file = 'themes.php';
}

$installed_themes = search_theme_directories();

if ( false === $installed_themes ) {
	$installed_themes = array();
}

foreach ( $installed_themes as $k => $v ) {
	if ( false !== strpos( $k, '/' ) ) {
		unset( $installed_themes[ $k ] );
	}
}

wp_localize_script( 'theme', '_wpThemeSettings', array(
	'themes'   => false,
	'settings' => array(
		'isInstall'  => true,
		'canInstall' => current_user_can( 'install_themes' ),
		'installURI' => current_user_can( 'install_themes' ) ? self_admin_url( 'theme-install.php' ) : null,
		'adminUrl'   => parse_url( self_admin_url(), PHP_URL_PATH )
	),
	'l10n' => array(
		'addNew'              => __( 'Add New Theme' ),
		'search'              => __( 'Search Themes' ),
		'searchPlaceholder'   => __( 'Search themes...' ), // placeholder (no ellipsis)
		'upload'              => __( 'Upload Theme' ),
		'back'                => __( 'Back' ),
		'error'               => sprintf(
			/* translators: %s: support forums URL */
			__( 'An unexpected error occurred. Something may be wrong with WordPress.org or this server&#8217;s configuration. If you continue to have problems, please try the <a href="%s">support forums</a>.' ),
			__( 'https://wordpress.org/support/' )
		),
		'themesFound'         => __( 'Number of Themes found: %d' ),
		'noThemesFound'       => __( 'No themes found. Try a different search.' ),
		'collapseSidebar'     => __( 'Collapse Sidebar' ),
		'expandSidebar'       => __( 'Expand Sidebar' ),
		/* translators: accessibility text */
		'selectFeatureFilter' => __( 'Select one or more Theme features to filter by' ),
	),
	'installedThemes' => array_keys( $installed_themes ),
) );

wp_enqueue_script( 'theme' );
wp_enqueue_script( 'updates' );

if ( $tab ) {
	/**
	 * Fires before each of the tabs are rendered on the Install Themes page.
	 *
	 * The dynamic portion of the hook name, `$tab`, refers to the current
	 * theme install tab. Possible values are 'dashboard', 'search', 'upload',
	 * 'featured', 'new', or 'updated'.
	 *
	 * @since 2.8.0
	 */
	do_action( "install_themes_pre_{$tab}" );
}

$help_overview =
	'<p>' . sprintf(
			/* translators: %s: Theme Directory URL */
			__( 'You can find additional themes for your site by using the Theme Browser/Installer on this screen, which will display themes from the <a href="%s">WordPress Theme Directory</a>. These themes are designed and developed by third parties, are available free of charge, and are compatible with the license WordPress uses.' ),
			__( 'https://wordpress.org/themes/' )
		) . '</p>' .
	'<p>' . __( 'You can Search for themes by keyword, author, or tag, or can get more specific and search by criteria listed in the feature filter.' ) . ' <span id="live-search-desc">' . __( 'The search results will be updated as you type.' ) . '</span></p>' .
	'<p>' . __( 'Alternately, you can browse the themes that are Featured, Popular, or Latest. When you find a theme you like, you can preview it or install it.' ) . '</p>' .
	'<p>' . sprintf(
			/* translators: %s: /wp-content/themes */
			__( 'You can Upload a theme manually if you have already downloaded its ZIP archive onto your computer (make sure it is from a trusted and original source). You can also do it the old-fashioned way and copy a downloaded theme&#8217;s folder via FTP into your %s directory.' ),
			'<code>/wp-content/themes</code>'
		) . '</p>';

get_current_screen()->add_help_tab( array(
	'id'      => 'overview',
	'title'   => __('Overview'),
	'content' => $help_overview
) );

$help_installing =
	'<p>' . __('Once you have generated a list of themes, you can preview and install any of them. Click on the thumbnail of the theme you&#8217;re interested in previewing. It will open up in a full-screen Preview page to give you a better idea of how that theme will look.') . '</p>' .
	'<p>' . __('To install the theme so you can preview it with your site&#8217;s content and customize its theme options, click the "Install" button at the top of the left-hand pane. The theme files will be downloaded to your website automatically. When this is complete, the theme is now available for activation, which you can do by clicking the "Activate" link, or by navigating to your Manage Themes screen and clicking the "Live Preview" link under any installed theme&#8217;s thumbnail image.') . '</p>';

get_current_screen()->add_help_tab( array(
	'id'      => 'installing',
	'title'   => __('Previewing and Installing'),
	'content' => $help_installing
) );

get_current_screen()->set_help_sidebar(
	'<p><strong>' . __('For more information:') . '</strong></p>' .
	'<p>' . __('<a href="https://codex.wordpress.org/Using_Themes#Adding_New_Themes">Documentation on Adding New Themes</a>') . '</p>' .
	'<p>' . __('<a href="https://wordpress.org/support/">Support Forums</a>') . '</p>'
);

include(ABSPATH . 'wp-admin/admin-header.php');

?>
<div class="wrap">
	<h1 class="wp-heading-inline"><?php echo esc_html( $title ); ?></h1>

	<?php

	/**
	 * Filters the tabs shown on the Add Themes screen.
	 *
	 * This filter is for backward compatibility only, for the suppression of the upload tab.
	 *
	 * @since 2.8.0
	 *
	 * @param array $tabs The tabs shown on the Add Themes screen. Default is 'upload'.
	 */
	$tabs = apply_filters( 'install_themes_tabs', array( 'upload' => __( 'Upload Theme' ) ) );
	if ( ! empty( $tabs['upload'] ) && current_user_can( 'upload_themes' ) ) {
		echo ' <button type="button" class="upload-view-toggle page-title-action hide-if-no-js" aria-expanded="false">' . __( 'Upload Theme' ) . '</button>';
	}
	?>

	<hr class="wp-header-end">

	<div class="error hide-if-js">
		<p><?php _e( 'The Theme Installer screen requires JavaScript.' ); ?></p>
	</div>

	<div class="upload-theme">
	<?php install_themes_upload(); ?>
	</div>

	<h2 class="screen-reader-text hide-if-no-js"><?php _e( 'Filter themes list' ); ?></h2>

	<div class="wp-filter hide-if-no-js">
		<div class="filter-count">
			<span class="count theme-count"></span>
		</div>

		<ul class="filter-links">
			<li><a href="#" data-sort="featured"><?php _ex( 'Featured', 'themes' ); ?></a></li>
			<li><a href="#" data-sort="popular"><?php _ex( 'Popular', 'themes' ); ?></a></li>
			<li><a href="#" data-sort="new"><?php _ex( 'Latest', 'themes' ); ?></a></li>
			<li><a href="#" data-sort="favorites"><?php _ex( 'Favorites', 'themes' ); ?></a></li>
		</ul>

		<button type="button" class="button drawer-toggle" aria-expanded="false"><?php _e( 'Feature Filter' ); ?></button>

		<form class="search-form"></form>

		<div class="favorites-form">
			<?php
			$action = 'save_wporg_username_' . get_current_user_id();
			if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {

				$user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
				update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
			} else {
				$user = get_user_option( 'wporg_favorites' );
			}
			?>
			<p class="install-help"><?php _e( 'If you have marked themes as favorites on WordPress.org, you can browse them here.' ); ?></p>

			<p>
				<label for="wporg-username-input"><?php _e( 'Your WordPress.org username:' ); ?></label>
				<input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" />
				<input type="search" id="wporg-username-input" value="<?php echo esc_attr( $user ); ?>" />
				<input type="button" class="button favorites-form-submit" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
			</p>
		</div>

		<div class="filter-drawer">
			<div class="buttons">
				<button type="button" class="apply-filters button"><?php _e( 'Apply Filters' ); ?><span></span></button>
				<button type="button" class="clear-filters button" aria-label="<?php esc_attr_e( 'Clear current filters' ); ?>"><?php _e( 'Clear' ); ?></button>
			</div>
		<?php
		$feature_list = get_theme_feature_list();
		foreach ( $feature_list as $feature_name => $features ) {
			echo '<fieldset class="filter-group">';
			$feature_name = esc_html( $feature_name );
			echo '<legend>' . $feature_name . '</legend>';
			echo '<div class="filter-group-feature">';
			foreach ( $features as $feature => $feature_name ) {
				$feature = esc_attr( $feature );
				echo '<input type="checkbox" id="filter-id-' . $feature . '" value="' . $feature . '" /> ';
				echo '<label for="filter-id-' . $feature . '">' . $feature_name . '</label><br>';
			}
			echo '</div>';
			echo '</fieldset>';
		}
		?>
			<div class="buttons">
				<button type="button" class="apply-filters button"><?php _e( 'Apply Filters' ); ?><span></span></button>
				<button type="button" class="clear-filters button" aria-label="<?php esc_attr_e( 'Clear current filters' ); ?>"><?php _e( 'Clear' ); ?></button>
			</div>
			<div class="filtered-by">
				<span><?php _e( 'Filtering by:' ); ?></span>
				<div class="tags"></div>
				<button type="button" class="button-link edit-filters"><?php _e( 'Edit Filters' ); ?></button>
			</div>
		</div>
	</div>
	<h2 class="screen-reader-text hide-if-no-js"><?php _e( 'Themes list' ); ?></h2>
	<div class="theme-browser content-filterable"></div>
	<div class="theme-install-overlay wp-full-overlay expanded"></div>

	<p class="no-themes"><?php _e( 'No themes found. Try a different search.' ); ?></p>
	<span class="spinner"></span>

<?php
if ( $tab ) {
	/**
	 * Fires at the top of each of the tabs on the Install Themes page.
	 *
	 * The dynamic portion of the hook name, `$tab`, refers to the current
	 * theme install tab. Possible values are 'dashboard', 'search', 'upload',
	 * 'featured', 'new', or 'updated'.
	 *
	 * @since 2.8.0
	 *
	 * @param int $paged Number of the current page of results being viewed.
	 */
	do_action( "install_themes_{$tab}", $paged );
}
?>
</div>

<script id="tmpl-theme" type="text/template">
	<# if ( data.screenshot_url ) { #>
		<div class="theme-screenshot">
			<img src="{{ data.screenshot_url }}" alt="" />
		</div>
	<# } else { #>
		<div class="theme-screenshot blank"></div>
	<# } #>
	<span class="more-details"><?php _ex( 'Details &amp; Preview', 'theme' ); ?></span>
	<div class="theme-author">
		<?php
		/* translators: %s: Theme author name */
		printf( __( 'By %s' ), '{{ data.author }}' );
		?>
	</div>
	<h3 class="theme-name">{{ data.name }}</h3>

	<div class="theme-actions">
		<# if ( data.installed ) { #>
			<?php
			/* translators: %s: Theme name */
			$aria_label = sprintf( _x( 'Activate %s', 'theme' ), '{{ data.name }}' );
			?>
			<# if ( data.activate_url ) { #>
				<a class="button button-primary activate" href="{{ data.activate_url }}" aria-label="<?php echo esc_attr( $aria_label ); ?>"><?php _e( 'Activate' ); ?></a>
			<# } #>
			<# if ( data.customize_url ) { #>
				<a class="button load-customize" href="{{ data.customize_url }}"><?php _e( 'Live Preview' ); ?></a>
			<# } else { #>
				<button class="button preview install-theme-preview"><?php _e( 'Preview' ); ?></button>
			<# } #>
		<# } else { #>
			<?php
			/* translators: %s: Theme name */
			$aria_label = sprintf( __( 'Install %s' ), '{{ data.name }}' );
			?>
			<a class="button button-primary theme-install" data-name="{{ data.name }}" data-slug="{{ data.id }}" href="{{ data.install_url }}" aria-label="<?php echo esc_attr( $aria_label ); ?>"><?php _e( 'Install' ); ?></a>
			<button class="button preview install-theme-preview"><?php _e( 'Preview' ); ?></button>
		<# } #>
	</div>

	<# if ( data.installed ) { #>
		<div class="notice notice-success notice-alt"><p><?php _ex( 'Installed', 'theme' ); ?></p></div>
	<# } #>
</script>

<script id="tmpl-theme-preview" type="text/template">
	<div class="wp-full-overlay-sidebar">
		<div class="wp-full-overlay-header">
			<button class="close-full-overlay"><span class="screen-reader-text"><?php _e( 'Close' ); ?></span></button>
			<button class="previous-theme"><span class="screen-reader-text"><?php _ex( 'Previous', 'Button label for a theme' ); ?></span></button>
			<button class="next-theme"><span class="screen-reader-text"><?php _ex( 'Next', 'Button label for a theme' ); ?></span></button>
			<# if ( data.installed ) { #>
				<a class="button button-primary activate" href="{{ data.activate_url }}"><?php _e( 'Activate' ); ?></a>
			<# } else { #>
				<a href="{{ data.install_url }}" class="button button-primary theme-install" data-name="{{ data.name }}" data-slug="{{ data.id }}"><?php _e( 'Install' ); ?></a>
			<# } #>
		</div>
		<div class="wp-full-overlay-sidebar-content">
			<div class="install-theme-info">
				<h3 class="theme-name">{{ data.name }}</h3>
					<span class="theme-by">
						<?php
						/* translators: %s: Theme author name */
						printf( __( 'By %s' ), '{{ data.author }}' );
						?>
					</span>

					<img class="theme-screenshot" src="{{ data.screenshot_url }}" alt="" />

					<div class="theme-details">
						<# if ( data.rating ) { #>
							<div class="theme-rating">
								{{{ data.stars }}}
								<span class="num-ratings">({{ data.num_ratings }})</span>
							</div>
						<# } else { #>
							<span class="no-rating"><?php _e( 'This theme has not been rated yet.' ); ?></span>
						<# } #>
						<div class="theme-version">
							<?php
							/* translators: %s: Theme version */
							printf( __( 'Version: %s' ), '{{ data.version }}' );
							?>
						</div>
						<div class="theme-description">{{{ data.description }}}</div>
					</div>
				</div>
			</div>
			<div class="wp-full-overlay-footer">
				<button type="button" class="collapse-sidebar button" aria-expanded="true" aria-label="<?php esc_attr_e( 'Collapse Sidebar' ); ?>">
					<span class="collapse-sidebar-arrow"></span>
					<span class="collapse-sidebar-label"><?php _e( 'Collapse' ); ?></span>
				</button>
			</div>
		</div>
		<div class="wp-full-overlay-main">
		<iframe src="{{ data.preview_url }}" title="<?php esc_attr_e( 'Preview' ); ?>"></iframe>
	</div>
</script>

<?php
wp_print_request_filesystem_credentials_modal();
wp_print_admin_notice_templates();

include(ABSPATH . 'wp-admin/admin-footer.php');


1		<?php
2		/**
3		* Install theme administration panel.
4		*
5		* @package WordPress
6		* @subpackage Administration
7		*/
8
9		/** WordPress Administration Bootstrap */
10		require_once( dirname( __FILE__ ) . '/admin.php' );
11		require( ABSPATH . 'wp-admin/includes/theme-install.php' );
12
13		wp_reset_vars( array( 'tab' ) );
14
15		if ( ! current_user_can('install_themes') )
16		wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) );
17
18		if ( is_multisite() && ! is_network_admin() ) {
19		wp_redirect( network_admin_url( 'theme-install.php' ) );
20		exit();
21		}
22
23		$title = __( 'Add Themes' );
24		$parent_file = 'themes.php';
25
26		if ( ! is_network_admin() ) {
27		$submenu_file = 'themes.php';
28		}
29
30		$installed_themes = search_theme_directories();
31
32		if ( false === $installed_themes ) {
33		$installed_themes = array();
34		}
35
36		foreach ( $installed_themes as $k => $v ) {
37		if ( false !== strpos( $k, '/' ) ) {
38		unset( $installed_themes[ $k ] );
39		}
40		}
41
42		wp_localize_script( 'theme', '_wpThemeSettings', array(
43		'themes' => false,
44		'settings' => array(
45		'isInstall' => true,
46		'canInstall' => current_user_can( 'install_themes' ),
47		'installURI' => current_user_can( 'install_themes' ) ? self_admin_url( 'theme-install.php' ) : null,
48		'adminUrl' => parse_url( self_admin_url(), PHP_URL_PATH )
49		),
50		'l10n' => array(
51		'addNew' => __( 'Add New Theme' ),
52		'search' => __( 'Search Themes' ),
53		'searchPlaceholder' => __( 'Search themes...' ), // placeholder (no ellipsis)
54		'upload' => __( 'Upload Theme' ),
55		'back' => __( 'Back' ),
56		'error' => sprintf(
57		/* translators: %s: support forums URL */
58		__( 'An unexpected error occurred. Something may be wrong with WordPress.org or this server’s configuration. If you continue to have problems, please try the <a href="%s">support forums</a>.' ),
59		__( 'https://wordpress.org/support/' )
60		),
61		'themesFound' => __( 'Number of Themes found: %d' ),
62		'noThemesFound' => __( 'No themes found. Try a different search.' ),
63		'collapseSidebar' => __( 'Collapse Sidebar' ),
64		'expandSidebar' => __( 'Expand Sidebar' ),
65		/* translators: accessibility text */
66		'selectFeatureFilter' => __( 'Select one or more Theme features to filter by' ),
67		),
68		'installedThemes' => array_keys( $installed_themes ),
69		) );
70
71		wp_enqueue_script( 'theme' );
72		wp_enqueue_script( 'updates' );
73
74		if ( $tab ) {
75		/**
76		* Fires before each of the tabs are rendered on the Install Themes page.
77		*
78		* The dynamic portion of the hook name, `$tab`, refers to the current
79		* theme install tab. Possible values are 'dashboard', 'search', 'upload',
80		* 'featured', 'new', or 'updated'.
81		*
82		* @since 2.8.0
83		*/
84		do_action( "install_themes_pre_{$tab}" );
85		}
86
87		$help_overview =
88		'<p>' . sprintf(
89		/* translators: %s: Theme Directory URL */
90		__( 'You can find additional themes for your site by using the Theme Browser/Installer on this screen, which will display themes from the <a href="%s">WordPress Theme Directory</a>. These themes are designed and developed by third parties, are available free of charge, and are compatible with the license WordPress uses.' ),
91		__( 'https://wordpress.org/themes/' )
92		) . '</p>' .
93		'<p>' . __( 'You can Search for themes by keyword, author, or tag, or can get more specific and search by criteria listed in the feature filter.' ) . ' <span id="live-search-desc">' . __( 'The search results will be updated as you type.' ) . '</span></p>' .
94		'<p>' . __( 'Alternately, you can browse the themes that are Featured, Popular, or Latest. When you find a theme you like, you can preview it or install it.' ) . '</p>' .
95		'<p>' . sprintf(
96		/* translators: %s: /wp-content/themes */
97		__( 'You can Upload a theme manually if you have already downloaded its ZIP archive onto your computer (make sure it is from a trusted and original source). You can also do it the old-fashioned way and copy a downloaded theme’s folder via FTP into your %s directory.' ),
98		'<code>/wp-content/themes</code>'
99		) . '</p>';
100
101		get_current_screen()->add_help_tab( array(
102		'id' => 'overview',
103		'title' => __('Overview'),
104		'content' => $help_overview
105		) );
106
107		$help_installing =
108		'<p>' . __('Once you have generated a list of themes, you can preview and install any of them. Click on the thumbnail of the theme you’re interested in previewing. It will open up in a full-screen Preview page to give you a better idea of how that theme will look.') . '</p>' .
109		'<p>' . __('To install the theme so you can preview it with your site’s content and customize its theme options, click the "Install" button at the top of the left-hand pane. The theme files will be downloaded to your website automatically. When this is complete, the theme is now available for activation, which you can do by clicking the "Activate" link, or by navigating to your Manage Themes screen and clicking the "Live Preview" link under any installed theme’s thumbnail image.') . '</p>';
110
111		get_current_screen()->add_help_tab( array(
112		'id' => 'installing',
113		'title' => __('Previewing and Installing'),
114		'content' => $help_installing
115		) );
116
117		get_current_screen()->set_help_sidebar(
118		'<p><strong>' . __('For more information:') . '</strong></p>' .
119		'<p>' . __('<a href="https://codex.wordpress.org/Using_Themes#Adding_New_Themes">Documentation on Adding New Themes</a>') . '</p>' .
120		'<p>' . __('<a href="https://wordpress.org/support/">Support Forums</a>') . '</p>'
121		);
122
123		include(ABSPATH . 'wp-admin/admin-header.php');
124
125		?>
126		<div class="wrap">
127		<h1 class="wp-heading-inline"><?php echo esc_html( $title ); ?></h1>
128
129		<?php
130
131		/**
132		* Filters the tabs shown on the Add Themes screen.
133		*
134		* This filter is for backward compatibility only, for the suppression of the upload tab.
135		*
136		* @since 2.8.0
137		*
138		* @param array $tabs The tabs shown on the Add Themes screen. Default is 'upload'.
139		*/
140		$tabs = apply_filters( 'install_themes_tabs', array( 'upload' => __( 'Upload Theme' ) ) );
141		if ( ! empty( $tabs['upload'] ) && current_user_can( 'upload_themes' ) ) {
142		echo ' <button type="button" class="upload-view-toggle page-title-action hide-if-no-js" aria-expanded="false">' . __( 'Upload Theme' ) . '</button>';
143		}
144		?>
145
146		<hr class="wp-header-end">
147
148		<div class="error hide-if-js">
149		<p><?php _e( 'The Theme Installer screen requires JavaScript.' ); ?></p>
150		</div>
151
152		<div class="upload-theme">
153		<?php install_themes_upload(); ?>
154		</div>
155
156		<h2 class="screen-reader-text hide-if-no-js"><?php _e( 'Filter themes list' ); ?></h2>
157
158		<div class="wp-filter hide-if-no-js">
159		<div class="filter-count">
160		<span class="count theme-count"></span>
161		</div>
162
163		<ul class="filter-links">
164		<li><a href="#" data-sort="featured"><?php _ex( 'Featured', 'themes' ); ?></a></li>
165		<li><a href="#" data-sort="popular"><?php _ex( 'Popular', 'themes' ); ?></a></li>
166		<li><a href="#" data-sort="new"><?php _ex( 'Latest', 'themes' ); ?></a></li>
167		<li><a href="#" data-sort="favorites"><?php _ex( 'Favorites', 'themes' ); ?></a></li>
168		</ul>
169
170		<button type="button" class="button drawer-toggle" aria-expanded="false"><?php _e( 'Feature Filter' ); ?></button>
171
172		<form class="search-form"></form>
173
174		<div class="favorites-form">
175		<?php
176		$action = 'save_wporg_username_' . get_current_user_id();
177	View Code Duplication	if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {
		0 ignored issues – show Bug introduced 2016-06-29 09:21 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `wp_unslash($_GET['_wpnonce'])` targeting `wp_unslash()` can also be of type `array`; however, `wp_verify_nonce()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
178		$user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
179		update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
180		} else {
181		$user = get_user_option( 'wporg_favorites' );
182		}
183		?>
184		<p class="install-help"><?php _e( 'If you have marked themes as favorites on WordPress.org, you can browse them here.' ); ?></p>
185
186		<p>
187		<label for="wporg-username-input"><?php _e( 'Your WordPress.org username:' ); ?></label>
188		<input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" />
189		<input type="search" id="wporg-username-input" value="<?php echo esc_attr( $user ); ?>" />
190		<input type="button" class="button favorites-form-submit" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
191		</p>
192		</div>
193
194		<div class="filter-drawer">
195		<div class="buttons">
196		<button type="button" class="apply-filters button"><?php _e( 'Apply Filters' ); ?><span></span></button>
197		<button type="button" class="clear-filters button" aria-label="<?php esc_attr_e( 'Clear current filters' ); ?>"><?php _e( 'Clear' ); ?></button>
198		</div>
199		<?php
200		$feature_list = get_theme_feature_list();
201		foreach ( $feature_list as $feature_name => $features ) {
202		echo '<fieldset class="filter-group">';
203		$feature_name = esc_html( $feature_name );
204		echo '<legend>' . $feature_name . '</legend>';
205		echo '<div class="filter-group-feature">';
206		foreach ( $features as $feature => $feature_name ) {
207		$feature = esc_attr( $feature );
208		echo '<input type="checkbox" id="filter-id-' . $feature . '" value="' . $feature . '" /> ';
209		echo '<label for="filter-id-' . $feature . '">' . $feature_name . '</label><br>';
210		}
211		echo '</div>';
212		echo '</fieldset>';
213		}
214		?>
215		<div class="buttons">
216		<button type="button" class="apply-filters button"><?php _e( 'Apply Filters' ); ?><span></span></button>
217		<button type="button" class="clear-filters button" aria-label="<?php esc_attr_e( 'Clear current filters' ); ?>"><?php _e( 'Clear' ); ?></button>
218		</div>
219		<div class="filtered-by">
220		<span><?php _e( 'Filtering by:' ); ?></span>
221		<div class="tags"></div>
222		<button type="button" class="button-link edit-filters"><?php _e( 'Edit Filters' ); ?></button>
223		</div>
224		</div>
225		</div>
226		<h2 class="screen-reader-text hide-if-no-js"><?php _e( 'Themes list' ); ?></h2>
227		<div class="theme-browser content-filterable"></div>
228		<div class="theme-install-overlay wp-full-overlay expanded"></div>
229
230		<p class="no-themes"><?php _e( 'No themes found. Try a different search.' ); ?></p>
231		<span class="spinner"></span>
232
233		<?php
234		if ( $tab ) {
235		/**
236		* Fires at the top of each of the tabs on the Install Themes page.
237		*
238		* The dynamic portion of the hook name, `$tab`, refers to the current
239		* theme install tab. Possible values are 'dashboard', 'search', 'upload',
240		* 'featured', 'new', or 'updated'.
241		*
242		* @since 2.8.0
243		*
244		* @param int $paged Number of the current page of results being viewed.
245		*/
246		do_action( "install_themes_{$tab}", $paged );
247		}
248		?>
249		</div>
250
251		<script id="tmpl-theme" type="text/template">
252		<# if ( data.screenshot_url ) { #>
253		<div class="theme-screenshot">
254		<img src="{{ data.screenshot_url }}" alt="" />
255		</div>
256		<# } else { #>
257		<div class="theme-screenshot blank"></div>
258		<# } #>
259		<span class="more-details"><?php _ex( 'Details & Preview', 'theme' ); ?></span>
260		<div class="theme-author">
261		<?php
262		/* translators: %s: Theme author name */
263		printf( __( 'By %s' ), '{{ data.author }}' );
264		?>
265		</div>
266		<h3 class="theme-name">{{ data.name }}</h3>
267
268		<div class="theme-actions">
269		<# if ( data.installed ) { #>
270		<?php
271		/* translators: %s: Theme name */
272		$aria_label = sprintf( _x( 'Activate %s', 'theme' ), '{{ data.name }}' );
273		?>
274		<# if ( data.activate_url ) { #>
275		<a class="button button-primary activate" href="{{ data.activate_url }}" aria-label="<?php echo esc_attr( $aria_label ); ?>"><?php _e( 'Activate' ); ?></a>
276		<# } #>
277		<# if ( data.customize_url ) { #>
278		<a class="button load-customize" href="{{ data.customize_url }}"><?php _e( 'Live Preview' ); ?></a>
279		<# } else { #>
280		<button class="button preview install-theme-preview"><?php _e( 'Preview' ); ?></button>
281		<# } #>
282		<# } else { #>
283		<?php
284		/* translators: %s: Theme name */
285		$aria_label = sprintf( __( 'Install %s' ), '{{ data.name }}' );
286		?>
287		<a class="button button-primary theme-install" data-name="{{ data.name }}" data-slug="{{ data.id }}" href="{{ data.install_url }}" aria-label="<?php echo esc_attr( $aria_label ); ?>"><?php _e( 'Install' ); ?></a>
288		<button class="button preview install-theme-preview"><?php _e( 'Preview' ); ?></button>
289		<# } #>
290		</div>
291
292		<# if ( data.installed ) { #>
293		<div class="notice notice-success notice-alt"><p><?php _ex( 'Installed', 'theme' ); ?></p></div>
294		<# } #>
295		</script>
296
297		<script id="tmpl-theme-preview" type="text/template">
298		<div class="wp-full-overlay-sidebar">
299		<div class="wp-full-overlay-header">
300		<button class="close-full-overlay"><span class="screen-reader-text"><?php _e( 'Close' ); ?></span></button>
301		<button class="previous-theme"><span class="screen-reader-text"><?php _ex( 'Previous', 'Button label for a theme' ); ?></span></button>
302		<button class="next-theme"><span class="screen-reader-text"><?php _ex( 'Next', 'Button label for a theme' ); ?></span></button>
303		<# if ( data.installed ) { #>
304		<a class="button button-primary activate" href="{{ data.activate_url }}"><?php _e( 'Activate' ); ?></a>
305		<# } else { #>
306		<a href="{{ data.install_url }}" class="button button-primary theme-install" data-name="{{ data.name }}" data-slug="{{ data.id }}"><?php _e( 'Install' ); ?></a>
307		<# } #>
308		</div>
309		<div class="wp-full-overlay-sidebar-content">
310		<div class="install-theme-info">
311		<h3 class="theme-name">{{ data.name }}</h3>
312		<span class="theme-by">
313		<?php
314		/* translators: %s: Theme author name */
315		printf( __( 'By %s' ), '{{ data.author }}' );
316		?>
317		</span>
318
319		<img class="theme-screenshot" src="{{ data.screenshot_url }}" alt="" />
320
321		<div class="theme-details">
322		<# if ( data.rating ) { #>
323		<div class="theme-rating">
324		{{{ data.stars }}}
325		<span class="num-ratings">({{ data.num_ratings }})</span>
326		</div>
327		<# } else { #>
328		<span class="no-rating"><?php _e( 'This theme has not been rated yet.' ); ?></span>
329		<# } #>
330		<div class="theme-version">
331		<?php
332		/* translators: %s: Theme version */
333		printf( __( 'Version: %s' ), '{{ data.version }}' );
334		?>
335		</div>
336		<div class="theme-description">{{{ data.description }}}</div>
337		</div>
338		</div>
339		</div>
340		<div class="wp-full-overlay-footer">
341		<button type="button" class="collapse-sidebar button" aria-expanded="true" aria-label="<?php esc_attr_e( 'Collapse Sidebar' ); ?>">
342		<span class="collapse-sidebar-arrow"></span>
343		<span class="collapse-sidebar-label"><?php _e( 'Collapse' ); ?></span>
344		</button>
345		</div>
346		</div>
347		<div class="wp-full-overlay-main">
348		<iframe src="{{ data.preview_url }}" title="<?php esc_attr_e( 'Preview' ); ?>"></iframe>
349		</div>
350		</script>
351
352		<?php
353		wp_print_request_filesystem_credentials_modal();
354		wp_print_admin_notice_templates();
355
356		include(ABSPATH . 'wp-admin/admin-footer.php');
357

ntwb / wordpress

Issues (4967)

Security Analysis not enabled

src/wp-admin/theme-install.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like