Issues in theme-install.php (master) - Issues in master - staylor/WordPress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2010)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

wp-admin/theme-install.php (2 issues)

Labels

Bug 2

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Install theme administration panel.
 *
 * @package WordPress
 * @subpackage Administration
 */

/** WordPress Administration Bootstrap */
require_once( dirname( __FILE__ ) . '/admin.php' );
require( ABSPATH . 'wp-admin/includes/theme-install.php' );

wp_reset_vars( array( 'tab' ) );

if ( ! current_user_can('install_themes') )
	wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) );

if ( is_multisite() && ! is_network_admin() ) {
	wp_redirect( network_admin_url( 'theme-install.php' ) );
	exit();
}

$title = __( 'Add Themes' );
$parent_file = 'themes.php';

if ( ! is_network_admin() ) {
	$submenu_file = 'themes.php';
}

$installed_themes = search_theme_directories();
foreach ( $installed_themes as $k => $v ) {
$collection = json_decode($data, true);
if ( ! is_array($collection)) {
    throw new \RuntimeException('$collection must be an array.');
}

foreach ($collection as $item) { /** ... */ }
	if ( false !== strpos( $k, '/' ) ) {
		unset( $installed_themes[ $k ] );
	}
}

wp_localize_script( 'theme', '_wpThemeSettings', array(
	'themes'   => false,
	'settings' => array(
		'isInstall'     => true,
		'canInstall'    => current_user_can( 'install_themes' ),
		'installURI'    => current_user_can( 'install_themes' ) ? self_admin_url( 'theme-install.php' ) : null,
		'adminUrl'      => parse_url( self_admin_url(), PHP_URL_PATH )
	),
	'l10n' => array(
		'addNew' => __( 'Add New Theme' ),
		'search' => __( 'Search Themes' ),
		'searchPlaceholder' => __( 'Search themes...' ), // placeholder (no ellipsis)
		'upload' => __( 'Upload Theme' ),
		'back'   => __( 'Back' ),
		'error'  => __( 'An unexpected error occurred. Something may be wrong with WordPress.org or this server&#8217;s configuration. If you continue to have problems, please try the <a href="https://wordpress.org/support/">support forums</a>.' ),
		'themesFound'   => __( 'Number of Themes found: %d' ),
		'noThemesFound' => __( 'No themes found. Try a different search.' ),
		'collapseSidebar'    => __( 'Collapse Sidebar' ),
		'expandSidebar'      => __( 'Expand Sidebar' ),
	),
	'installedThemes' => array_keys( $installed_themes ),
) );

wp_enqueue_script( 'theme' );
wp_enqueue_script( 'updates' );

if ( $tab ) {
	/**
	 * Fires before each of the tabs are rendered on the Install Themes page.
	 *
	 * The dynamic portion of the hook name, `$tab`, refers to the current
	 * theme install tab. Possible values are 'dashboard', 'search', 'upload',
	 * 'featured', 'new', or 'updated'.
	 *
	 * @since 2.8.0
	 */
	do_action( "install_themes_pre_{$tab}" );
}

$help_overview =
	'<p>' . sprintf(
			/* translators: %s: Theme Directory URL */
			__( 'You can find additional themes for your site by using the Theme Browser/Installer on this screen, which will display themes from the <a href="%s" target="_blank">WordPress Theme Directory</a>. These themes are designed and developed by third parties, are available free of charge, and are compatible with the license WordPress uses.' ),
			__( 'https://wordpress.org/themes/' )
		) . '</p>' .
	'<p>' . __( 'You can Search for themes by keyword, author, or tag, or can get more specific and search by criteria listed in the feature filter.' ) . ' <span id="live-search-desc">' . __( 'The search results will be updated as you type.' ) . '</span></p>' .
	'<p>' . __( 'Alternately, you can browse the themes that are Featured, Popular, or Latest. When you find a theme you like, you can preview it or install it.' ) . '</p>' .
	'<p>' . sprintf(
			/* translators: %s: /wp-content/themes */
			__( 'You can Upload a theme manually if you have already downloaded its ZIP archive onto your computer (make sure it is from a trusted and original source). You can also do it the old-fashioned way and copy a downloaded theme&#8217;s folder via FTP into your %s directory.' ),
			'<code>/wp-content/themes</code>'
		) . '</p>';

get_current_screen()->add_help_tab( array(
	'id'      => 'overview',
	'title'   => __('Overview'),
	'content' => $help_overview
) );

$help_installing =
	'<p>' . __('Once you have generated a list of themes, you can preview and install any of them. Click on the thumbnail of the theme you&#8217;re interested in previewing. It will open up in a full-screen Preview page to give you a better idea of how that theme will look.') . '</p>' .
	'<p>' . __('To install the theme so you can preview it with your site&#8217;s content and customize its theme options, click the "Install" button at the top of the left-hand pane. The theme files will be downloaded to your website automatically. When this is complete, the theme is now available for activation, which you can do by clicking the "Activate" link, or by navigating to your Manage Themes screen and clicking the "Live Preview" link under any installed theme&#8217;s thumbnail image.') . '</p>';

get_current_screen()->add_help_tab( array(
	'id'      => 'installing',
	'title'   => __('Previewing and Installing'),
	'content' => $help_installing
) );

get_current_screen()->set_help_sidebar(
	'<p><strong>' . __('For more information:') . '</strong></p>' .
	'<p>' . __('<a href="https://codex.wordpress.org/Using_Themes#Adding_New_Themes" target="_blank">Documentation on Adding New Themes</a>') . '</p>' .
	'<p>' . __('<a href="https://wordpress.org/support/" target="_blank">Support Forums</a>') . '</p>'
);

include(ABSPATH . 'wp-admin/admin-header.php');

?>
<div class="wrap">
	<h1><?php
	echo esc_html( $title );

	/**
	 * Filters the tabs shown on the Add Themes screen.
	 *
	 * This filter is for backward compatibility only, for the suppression of the upload tab.
	 *
	 * @since 2.8.0
	 *
	 * @param array $tabs The tabs shown on the Add Themes screen. Default is 'upload'.
	 */
	$tabs = apply_filters( 'install_themes_tabs', array( 'upload' => __( 'Upload Theme' ) ) );
	if ( ! empty( $tabs['upload'] ) && current_user_can( 'upload_themes' ) ) {
		echo ' <button type="button" class="upload-view-toggle page-title-action hide-if-no-js" aria-expanded="false">' . __( 'Upload Theme' ) . '</button>';
	}
	?></h1>
	<div class="error hide-if-js">
		<p><?php _e( 'The Theme Installer screen requires JavaScript.' ); ?></p>
	</div>

	<div class="upload-theme">
	<?php install_themes_upload(); ?>
	</div>

	<h2 class="screen-reader-text hide-if-no-js"><?php _e( 'Filter themes list' ); ?></h2>

	<div class="wp-filter hide-if-no-js">
		<div class="filter-count">
			<span class="count theme-count"></span>
		</div>

		<ul class="filter-links">
			<li><a href="#" data-sort="featured"><?php _ex( 'Featured', 'themes' ); ?></a></li>
			<li><a href="#" data-sort="popular"><?php _ex( 'Popular', 'themes' ); ?></a></li>
			<li><a href="#" data-sort="new"><?php _ex( 'Latest', 'themes' ); ?></a></li>
			<li><a href="#" data-sort="favorites"><?php _ex( 'Favorites', 'themes' ); ?></a></li>
		</ul>

		<a class="drawer-toggle" href="#"><?php _e( 'Feature Filter' ); ?></a>

		<div class="search-form"></div>

		<div class="favorites-form">
			<?php
			$action = 'save_wporg_username_' . get_current_user_id();
			if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {

				$user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
				update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
			} else {
				$user = get_user_option( 'wporg_favorites' );
			}
			?>
			<p class="install-help"><?php _e( 'If you have marked themes as favorites on WordPress.org, you can browse them here.' ); ?></p>

			<p>
				<label for="wporg-username-input"><?php _e( 'Your WordPress.org username:' ); ?></label>
				<input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" />
				<input type="search" id="wporg-username-input" value="<?php echo esc_attr( $user ); ?>" />
				<input type="button" class="button button-secondary favorites-form-submit" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
			</p>
		</div>

		<div class="filter-drawer">
			<div class="buttons">
				<a class="apply-filters button button-secondary" href="#"><?php _e( 'Apply Filters' ); ?><span></span></a>
				<a class="clear-filters button button-secondary" href="#"><?php _e( 'Clear' ); ?></a>
			</div>
		<?php
		$feature_list = get_theme_feature_list();
		foreach ( $feature_list as $feature_name => $features ) {
			echo '<fieldset class="filter-group">';
			$feature_name = esc_html( $feature_name );
			echo '<legend>' . $feature_name . '</legend>';
			echo '<div class="filter-group-feature">';
			foreach ( $features as $feature => $feature_name ) {
				$feature = esc_attr( $feature );
				echo '<input type="checkbox" id="filter-id-' . $feature . '" value="' . $feature . '" /> ';
				echo '<label for="filter-id-' . $feature . '">' . $feature_name . '</label><br>';
			}
			echo '</div>';
			echo '</fieldset>';
		}
		?>
			<div class="filtered-by">
				<span><?php _e( 'Filtering by:' ); ?></span>
				<div class="tags"></div>
				<a href="#"><?php _e( 'Edit' ); ?></a>
			</div>
		</div>
	</div>
	<h2 class="screen-reader-text hide-if-no-js"><?php _e( 'Themes list' ); ?></h2>
	<div class="theme-browser content-filterable"></div>
	<div class="theme-install-overlay wp-full-overlay expanded"></div>

	<p class="no-themes"><?php _e( 'No themes found. Try a different search.' ); ?></p>
	<span class="spinner"></span>

<?php
if ( $tab ) {
	/**
	 * Fires at the top of each of the tabs on the Install Themes page.
	 *
	 * The dynamic portion of the hook name, `$tab`, refers to the current
	 * theme install tab. Possible values are 'dashboard', 'search', 'upload',
	 * 'featured', 'new', or 'updated'.
	 *
	 * @since 2.8.0
	 *
	 * @param int $paged Number of the current page of results being viewed.
	 */
	do_action( "install_themes_{$tab}", $paged );
}
?>
</div>

<script id="tmpl-theme" type="text/template">
	<# if ( data.screenshot_url ) { #>
		<div class="theme-screenshot">
			<img src="{{ data.screenshot_url }}" alt="" />
		</div>
	<# } else { #>
		<div class="theme-screenshot blank"></div>
	<# } #>
	<span class="more-details"><?php _ex( 'Details &amp; Preview', 'theme' ); ?></span>
	<div class="theme-author">
		<?php
		/* translators: %s: Theme author name */
		printf( __( 'By %s' ), '{{ data.author }}' );
		?>
	</div>
	<h3 class="theme-name">{{ data.name }}</h3>

	<div class="theme-actions">
		<# if ( data.installed ) { #>
			<?php
			/* translators: %s: Theme name */
			$aria_label = sprintf( _x( 'Activate %s', 'theme' ), '{{ data.name }}' );
			?>
			<# if ( data.activate_url ) { #>
				<a class="button button-primary activate" href="{{ data.activate_url }}" aria-label="<?php echo esc_attr( $aria_label ); ?>"><?php _e( 'Activate' ); ?></a>
			<# } #>
			<# if ( data.customize_url ) { #>
				<a class="button button-secondary load-customize" href="{{ data.customize_url }}"><?php _e( 'Live Preview' ); ?></a>
			<# } else { #>
				<button class="button-secondary preview install-theme-preview"><?php _e( 'Preview' ); ?></button>
			<# } #>
		<# } else { #>
			<?php
			/* translators: %s: Theme name */
			$aria_label = sprintf( __( 'Install %s' ), '{{ data.name }}' );
			?>
			<a class="button button-primary theme-install" data-name="{{ data.name }}" data-slug="{{ data.id }}" href="{{ data.install_url }}" aria-label="<?php echo esc_attr( $aria_label ); ?>"><?php _e( 'Install' ); ?></a>
			<button class="button-secondary preview install-theme-preview"><?php _e( 'Preview' ); ?></button>
		<# } #>
	</div>

	<# if ( data.installed ) { #>
		<div class="notice notice-success notice-alt"><p><?php _ex( 'Installed', 'theme' ); ?></p></div>
	<# } #>
</script>

<script id="tmpl-theme-preview" type="text/template">
	<div class="wp-full-overlay-sidebar">
		<div class="wp-full-overlay-header">
			<button class="close-full-overlay"><span class="screen-reader-text"><?php _e( 'Close' ); ?></span></button>
			<button class="previous-theme"><span class="screen-reader-text"><?php _ex( 'Previous', 'Button label for a theme' ); ?></span></button>
			<button class="next-theme"><span class="screen-reader-text"><?php _ex( 'Next', 'Button label for a theme' ); ?></span></button>
			<# if ( data.installed ) { #>
				<a class="button button-primary activate" href="{{ data.activate_url }}"><?php _e( 'Activate' ); ?></a>
			<# } else { #>
				<a href="{{ data.install_url }}" class="button button-primary theme-install" data-name="{{ data.name }}" data-slug="{{ data.id }}"><?php _e( 'Install' ); ?></a>
			<# } #>
		</div>
		<div class="wp-full-overlay-sidebar-content">
			<div class="install-theme-info">
				<h3 class="theme-name">{{ data.name }}</h3>
					<span class="theme-by">
						<?php
						/* translators: %s: Theme author name */
						printf( __( 'By %s' ), '{{ data.author }}' );
						?>
					</span>

					<img class="theme-screenshot" src="{{ data.screenshot_url }}" alt="" />

					<div class="theme-details">
						<# if ( data.rating ) { #>
							<div class="theme-rating">
								{{{ data.stars }}}
								<span class="num-ratings">({{ data.num_ratings }})</span>
							</div>
						<# } else { #>
							<span class="no-rating"><?php _e( 'This theme has not been rated yet.' ); ?></span>
						<# } #>
						<div class="theme-version">
							<?php
							/* translators: %s: Theme version */
							printf( __( 'Version: %s' ), '{{ data.version }}' );
							?>
						</div>
						<div class="theme-description">{{{ data.description }}}</div>
					</div>
				</div>
			</div>
			<div class="wp-full-overlay-footer">
				<button type="button" class="collapse-sidebar button-secondary" aria-expanded="true" aria-label="<?php esc_attr_e( 'Collapse Sidebar' ); ?>">
					<span class="collapse-sidebar-arrow"></span>
					<span class="collapse-sidebar-label"><?php _e( 'Collapse' ); ?></span>
				</button>
			</div>
		</div>
		<div class="wp-full-overlay-main">
		<iframe src="{{ data.preview_url }}" title="<?php esc_attr_e( 'Preview' ); ?>"></iframe>
	</div>
</script>

<?php
wp_print_request_filesystem_credentials_modal();
wp_print_admin_notice_templates();

include(ABSPATH . 'wp-admin/admin-footer.php');


1		<?php
2		/**
3		* Install theme administration panel.
4		*
5		* @package WordPress
6		* @subpackage Administration
7		*/
8
9		/** WordPress Administration Bootstrap */
10		require_once( dirname( __FILE__ ) . '/admin.php' );
11		require( ABSPATH . 'wp-admin/includes/theme-install.php' );
12
13		wp_reset_vars( array( 'tab' ) );
14
15		if ( ! current_user_can('install_themes') )
16		wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) );
17
18		if ( is_multisite() && ! is_network_admin() ) {
19		wp_redirect( network_admin_url( 'theme-install.php' ) );
20		exit();
21		}
22
23		$title = __( 'Add Themes' );
24		$parent_file = 'themes.php';
25
26		if ( ! is_network_admin() ) {
27		$submenu_file = 'themes.php';
28		}
29
30		$installed_themes = search_theme_directories();
31		foreach ( $installed_themes as $k => $v ) {
		0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$installed_themes` of type `false\|array` is not guaranteed to be traversable. How about adding an additional type check? There are different options of fixing this problem. If you want to be on the safe side, you can add an additional type-check: $collection = json_decode($data, true); if ( ! is_array($collection)) { throw new \RuntimeException('$collection must be an array.'); } foreach ($collection as $item) { /** ... / } If you are sure that the expression is traversable, you might want to add a doc comment cast* to improve IDE auto-completion and static analysis: /** @var array $collection / $collection = json_decode($data, true); foreach ($collection as $item) { /* .. / } Mark the issue as a false-positive*: Just hover the remove button, in the top-right corner of this issue for more options. Loading history...
32		if ( false !== strpos( $k, '/' ) ) {
33		unset( $installed_themes[ $k ] );
34		}
35		}
36
37		wp_localize_script( 'theme', '_wpThemeSettings', array(
38		'themes' => false,
39		'settings' => array(
40		'isInstall' => true,
41		'canInstall' => current_user_can( 'install_themes' ),
42		'installURI' => current_user_can( 'install_themes' ) ? self_admin_url( 'theme-install.php' ) : null,
43		'adminUrl' => parse_url( self_admin_url(), PHP_URL_PATH )
44		),
45		'l10n' => array(
46		'addNew' => __( 'Add New Theme' ),
47		'search' => __( 'Search Themes' ),
48		'searchPlaceholder' => __( 'Search themes...' ), // placeholder (no ellipsis)
49		'upload' => __( 'Upload Theme' ),
50		'back' => __( 'Back' ),
51		'error' => __( 'An unexpected error occurred. Something may be wrong with WordPress.org or this server’s configuration. If you continue to have problems, please try the <a href="https://wordpress.org/support/">support forums</a>.' ),
52		'themesFound' => __( 'Number of Themes found: %d' ),
53		'noThemesFound' => __( 'No themes found. Try a different search.' ),
54		'collapseSidebar' => __( 'Collapse Sidebar' ),
55		'expandSidebar' => __( 'Expand Sidebar' ),
56		),
57		'installedThemes' => array_keys( $installed_themes ),
58		) );
59
60		wp_enqueue_script( 'theme' );
61		wp_enqueue_script( 'updates' );
62
63		if ( $tab ) {
64		/**
65		* Fires before each of the tabs are rendered on the Install Themes page.
66		*
67		* The dynamic portion of the hook name, `$tab`, refers to the current
68		* theme install tab. Possible values are 'dashboard', 'search', 'upload',
69		* 'featured', 'new', or 'updated'.
70		*
71		* @since 2.8.0
72		*/
73		do_action( "install_themes_pre_{$tab}" );
74		}
75
76		$help_overview =
77		'<p>' . sprintf(
78		/* translators: %s: Theme Directory URL */
79		__( 'You can find additional themes for your site by using the Theme Browser/Installer on this screen, which will display themes from the <a href="%s" target="_blank">WordPress Theme Directory</a>. These themes are designed and developed by third parties, are available free of charge, and are compatible with the license WordPress uses.' ),
80		__( 'https://wordpress.org/themes/' )
81		) . '</p>' .
82		'<p>' . __( 'You can Search for themes by keyword, author, or tag, or can get more specific and search by criteria listed in the feature filter.' ) . ' <span id="live-search-desc">' . __( 'The search results will be updated as you type.' ) . '</span></p>' .
83		'<p>' . __( 'Alternately, you can browse the themes that are Featured, Popular, or Latest. When you find a theme you like, you can preview it or install it.' ) . '</p>' .
84		'<p>' . sprintf(
85		/* translators: %s: /wp-content/themes */
86		__( 'You can Upload a theme manually if you have already downloaded its ZIP archive onto your computer (make sure it is from a trusted and original source). You can also do it the old-fashioned way and copy a downloaded theme’s folder via FTP into your %s directory.' ),
87		'<code>/wp-content/themes</code>'
88		) . '</p>';
89
90		get_current_screen()->add_help_tab( array(
91		'id' => 'overview',
92		'title' => __('Overview'),
93		'content' => $help_overview
94		) );
95
96		$help_installing =
97		'<p>' . __('Once you have generated a list of themes, you can preview and install any of them. Click on the thumbnail of the theme you’re interested in previewing. It will open up in a full-screen Preview page to give you a better idea of how that theme will look.') . '</p>' .
98		'<p>' . __('To install the theme so you can preview it with your site’s content and customize its theme options, click the "Install" button at the top of the left-hand pane. The theme files will be downloaded to your website automatically. When this is complete, the theme is now available for activation, which you can do by clicking the "Activate" link, or by navigating to your Manage Themes screen and clicking the "Live Preview" link under any installed theme’s thumbnail image.') . '</p>';
99
100		get_current_screen()->add_help_tab( array(
101		'id' => 'installing',
102		'title' => __('Previewing and Installing'),
103		'content' => $help_installing
104		) );
105
106		get_current_screen()->set_help_sidebar(
107		'<p><strong>' . __('For more information:') . '</strong></p>' .
108		'<p>' . __('<a href="https://codex.wordpress.org/Using_Themes#Adding_New_Themes" target="_blank">Documentation on Adding New Themes</a>') . '</p>' .
109		'<p>' . __('<a href="https://wordpress.org/support/" target="_blank">Support Forums</a>') . '</p>'
110		);
111
112		include(ABSPATH . 'wp-admin/admin-header.php');
113
114		?>
115		<div class="wrap">
116		<h1><?php
117		echo esc_html( $title );
118
119		/**
120		* Filters the tabs shown on the Add Themes screen.
121		*
122		* This filter is for backward compatibility only, for the suppression of the upload tab.
123		*
124		* @since 2.8.0
125		*
126		* @param array $tabs The tabs shown on the Add Themes screen. Default is 'upload'.
127		*/
128		$tabs = apply_filters( 'install_themes_tabs', array( 'upload' => __( 'Upload Theme' ) ) );
129		if ( ! empty( $tabs['upload'] ) && current_user_can( 'upload_themes' ) ) {
130		echo ' <button type="button" class="upload-view-toggle page-title-action hide-if-no-js" aria-expanded="false">' . __( 'Upload Theme' ) . '</button>';
131		}
132		?></h1>
133		<div class="error hide-if-js">
134		<p><?php _e( 'The Theme Installer screen requires JavaScript.' ); ?></p>
135		</div>
136
137		<div class="upload-theme">
138		<?php install_themes_upload(); ?>
139		</div>
140
141		<h2 class="screen-reader-text hide-if-no-js"><?php _e( 'Filter themes list' ); ?></h2>
142
143		<div class="wp-filter hide-if-no-js">
144		<div class="filter-count">
145		<span class="count theme-count"></span>
146		</div>
147
148		<ul class="filter-links">
149		<li><a href="#" data-sort="featured"><?php _ex( 'Featured', 'themes' ); ?></a></li>
150		<li><a href="#" data-sort="popular"><?php _ex( 'Popular', 'themes' ); ?></a></li>
151		<li><a href="#" data-sort="new"><?php _ex( 'Latest', 'themes' ); ?></a></li>
152		<li><a href="#" data-sort="favorites"><?php _ex( 'Favorites', 'themes' ); ?></a></li>
153		</ul>
154
155		<a class="drawer-toggle" href="#"><?php _e( 'Feature Filter' ); ?></a>
156
157		<div class="search-form"></div>
158
159		<div class="favorites-form">
160		<?php
161		$action = 'save_wporg_username_' . get_current_user_id();
162	View Code Duplication	if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {
		0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `wp_unslash($_GET['_wpnonce'])` targeting `wp_unslash()` can also be of type `array`; however, `wp_verify_nonce()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
163		$user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
164		update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
165		} else {
166		$user = get_user_option( 'wporg_favorites' );
167		}
168		?>
169		<p class="install-help"><?php _e( 'If you have marked themes as favorites on WordPress.org, you can browse them here.' ); ?></p>
170
171		<p>
172		<label for="wporg-username-input"><?php _e( 'Your WordPress.org username:' ); ?></label>
173		<input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" />
174		<input type="search" id="wporg-username-input" value="<?php echo esc_attr( $user ); ?>" />
175		<input type="button" class="button button-secondary favorites-form-submit" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
176		</p>
177		</div>
178
179		<div class="filter-drawer">
180		<div class="buttons">
181		<a class="apply-filters button button-secondary" href="#"><?php _e( 'Apply Filters' ); ?><span></span></a>
182		<a class="clear-filters button button-secondary" href="#"><?php _e( 'Clear' ); ?></a>
183		</div>
184		<?php
185		$feature_list = get_theme_feature_list();
186		foreach ( $feature_list as $feature_name => $features ) {
187		echo '<fieldset class="filter-group">';
188		$feature_name = esc_html( $feature_name );
189		echo '<legend>' . $feature_name . '</legend>';
190		echo '<div class="filter-group-feature">';
191		foreach ( $features as $feature => $feature_name ) {
192		$feature = esc_attr( $feature );
193		echo '<input type="checkbox" id="filter-id-' . $feature . '" value="' . $feature . '" /> ';
194		echo '<label for="filter-id-' . $feature . '">' . $feature_name . '</label><br>';
195		}
196		echo '</div>';
197		echo '</fieldset>';
198		}
199		?>
200		<div class="filtered-by">
201		<span><?php _e( 'Filtering by:' ); ?></span>
202		<div class="tags"></div>
203		<a href="#"><?php _e( 'Edit' ); ?></a>
204		</div>
205		</div>
206		</div>
207		<h2 class="screen-reader-text hide-if-no-js"><?php _e( 'Themes list' ); ?></h2>
208		<div class="theme-browser content-filterable"></div>
209		<div class="theme-install-overlay wp-full-overlay expanded"></div>
210
211		<p class="no-themes"><?php _e( 'No themes found. Try a different search.' ); ?></p>
212		<span class="spinner"></span>
213
214		<?php
215		if ( $tab ) {
216		/**
217		* Fires at the top of each of the tabs on the Install Themes page.
218		*
219		* The dynamic portion of the hook name, `$tab`, refers to the current
220		* theme install tab. Possible values are 'dashboard', 'search', 'upload',
221		* 'featured', 'new', or 'updated'.
222		*
223		* @since 2.8.0
224		*
225		* @param int $paged Number of the current page of results being viewed.
226		*/
227		do_action( "install_themes_{$tab}", $paged );
228		}
229		?>
230		</div>
231
232		<script id="tmpl-theme" type="text/template">
233		<# if ( data.screenshot_url ) { #>
234		<div class="theme-screenshot">
235		<img src="{{ data.screenshot_url }}" alt="" />
236		</div>
237		<# } else { #>
238		<div class="theme-screenshot blank"></div>
239		<# } #>
240		<span class="more-details"><?php _ex( 'Details & Preview', 'theme' ); ?></span>
241		<div class="theme-author">
242		<?php
243		/* translators: %s: Theme author name */
244		printf( __( 'By %s' ), '{{ data.author }}' );
245		?>
246		</div>
247		<h3 class="theme-name">{{ data.name }}</h3>
248
249		<div class="theme-actions">
250		<# if ( data.installed ) { #>
251		<?php
252		/* translators: %s: Theme name */
253		$aria_label = sprintf( _x( 'Activate %s', 'theme' ), '{{ data.name }}' );
254		?>
255		<# if ( data.activate_url ) { #>
256		<a class="button button-primary activate" href="{{ data.activate_url }}" aria-label="<?php echo esc_attr( $aria_label ); ?>"><?php _e( 'Activate' ); ?></a>
257		<# } #>
258		<# if ( data.customize_url ) { #>
259		<a class="button button-secondary load-customize" href="{{ data.customize_url }}"><?php _e( 'Live Preview' ); ?></a>
260		<# } else { #>
261		<button class="button-secondary preview install-theme-preview"><?php _e( 'Preview' ); ?></button>
262		<# } #>
263		<# } else { #>
264		<?php
265		/* translators: %s: Theme name */
266		$aria_label = sprintf( __( 'Install %s' ), '{{ data.name }}' );
267		?>
268		<a class="button button-primary theme-install" data-name="{{ data.name }}" data-slug="{{ data.id }}" href="{{ data.install_url }}" aria-label="<?php echo esc_attr( $aria_label ); ?>"><?php _e( 'Install' ); ?></a>
269		<button class="button-secondary preview install-theme-preview"><?php _e( 'Preview' ); ?></button>
270		<# } #>
271		</div>
272
273		<# if ( data.installed ) { #>
274		<div class="notice notice-success notice-alt"><p><?php _ex( 'Installed', 'theme' ); ?></p></div>
275		<# } #>
276		</script>
277
278		<script id="tmpl-theme-preview" type="text/template">
279		<div class="wp-full-overlay-sidebar">
280		<div class="wp-full-overlay-header">
281		<button class="close-full-overlay"><span class="screen-reader-text"><?php _e( 'Close' ); ?></span></button>
282		<button class="previous-theme"><span class="screen-reader-text"><?php _ex( 'Previous', 'Button label for a theme' ); ?></span></button>
283		<button class="next-theme"><span class="screen-reader-text"><?php _ex( 'Next', 'Button label for a theme' ); ?></span></button>
284		<# if ( data.installed ) { #>
285		<a class="button button-primary activate" href="{{ data.activate_url }}"><?php _e( 'Activate' ); ?></a>
286		<# } else { #>
287		<a href="{{ data.install_url }}" class="button button-primary theme-install" data-name="{{ data.name }}" data-slug="{{ data.id }}"><?php _e( 'Install' ); ?></a>
288		<# } #>
289		</div>
290		<div class="wp-full-overlay-sidebar-content">
291		<div class="install-theme-info">
292		<h3 class="theme-name">{{ data.name }}</h3>
293		<span class="theme-by">
294		<?php
295		/* translators: %s: Theme author name */
296		printf( __( 'By %s' ), '{{ data.author }}' );
297		?>
298		</span>
299
300		<img class="theme-screenshot" src="{{ data.screenshot_url }}" alt="" />
301
302		<div class="theme-details">
303		<# if ( data.rating ) { #>
304		<div class="theme-rating">
305		{{{ data.stars }}}
306		<span class="num-ratings">({{ data.num_ratings }})</span>
307		</div>
308		<# } else { #>
309		<span class="no-rating"><?php _e( 'This theme has not been rated yet.' ); ?></span>
310		<# } #>
311		<div class="theme-version">
312		<?php
313		/* translators: %s: Theme version */
314		printf( __( 'Version: %s' ), '{{ data.version }}' );
315		?>
316		</div>
317		<div class="theme-description">{{{ data.description }}}</div>
318		</div>
319		</div>
320		</div>
321		<div class="wp-full-overlay-footer">
322		<button type="button" class="collapse-sidebar button-secondary" aria-expanded="true" aria-label="<?php esc_attr_e( 'Collapse Sidebar' ); ?>">
323		<span class="collapse-sidebar-arrow"></span>
324		<span class="collapse-sidebar-label"><?php _e( 'Collapse' ); ?></span>
325		</button>
326		</div>
327		</div>
328		<div class="wp-full-overlay-main">
329		<iframe src="{{ data.preview_url }}" title="<?php esc_attr_e( 'Preview' ); ?>"></iframe>
330		</div>
331		</script>
332
333		<?php
334		wp_print_request_filesystem_credentials_modal();
335		wp_print_admin_notice_templates();
336
337		include(ABSPATH . 'wp-admin/admin-footer.php');
338

staylor / WordPress

Issues (2010)

Security Analysis not enabled

wp-admin/theme-install.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like