Grouped backports for the 6.7 branch.

desrosj · desrosj · commit 62b9af9f4085 · 2026-03-10T16:38:17.000Z
- XML-RPC: Switch to `wp_safe_remote()` when fetching a pingback URL. - HTML API: Prevent `WP_HTML_Tag_Processor` instances being unserialized and add some extra logic for validating pattern and template file paths. - KSES: Optimize PCRE pattern detecting numeric character references. - Customize: Improve escaping approach used for nav menu attributes. - Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager. - Interactivity API: Skip binding event handler attributes. The corresponding `data-wp-on--` attribute should be used instead. - Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag. - Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library. - Comments: Don't attempt to create a note if the user cannot edit the target post. - Media: Disable XML entity substitution in getID3. Merges [61879-61890] to the 6.7 branch. Props johnbillion, xknown, dmsnell, jorbin, peterwilson, adamsilverstein, desrosj, luisherranz, ocean90, westonruter, jonsurrell, aurdasjb. git-svn-id: https://develop.svn.wordpress.org/branches/6.7@61902 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/js/_enqueues/wp/util.js b/src/js/_enqueues/wp/util.js
@@ -36,10 +36,11 @@ window.wp = window.wp || {};
 			};
 
 		return function ( data ) {
-			if ( ! document.getElementById( 'tmpl-' + id ) ) {
+			var el = document.querySelector( 'script#tmpl-' + id );
+			if ( ! el ) {
 				throw new Error( 'Template not found: ' + '#tmpl-' + id );
 			}
-			compiled = compiled || _.template( $( '#tmpl-' + id ).html(),  options );
+			compiled = compiled || _.template( $( el ).html(), options );
 			return compiled( data );
 		};
 	});
diff --git a/src/wp-admin/includes/class-walker-nav-menu-checklist.php b/src/wp-admin/includes/class-walker-nav-menu-checklist.php
@@ -116,11 +116,11 @@ public function start_el( &$output, $data_object, $depth = 0, $args = null, $cur
 		$output .= '<input type="hidden" class="menu-item-object" name="menu-item[' . $possible_object_id . '][menu-item-object]" value="' . esc_attr( $menu_item->object ) . '" />';
 		$output .= '<input type="hidden" class="menu-item-parent-id" name="menu-item[' . $possible_object_id . '][menu-item-parent-id]" value="' . esc_attr( $menu_item->menu_item_parent ) . '" />';
 		$output .= '<input type="hidden" class="menu-item-type" name="menu-item[' . $possible_object_id . '][menu-item-type]" value="' . esc_attr( $menu_item->type ) . '" />';
-		$output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . esc_attr( $menu_item->title ) . '" />';
+		$output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . htmlspecialchars( $menu_item->title, ENT_QUOTES ) . '" />';
 		$output .= '<input type="hidden" class="menu-item-url" name="menu-item[' . $possible_object_id . '][menu-item-url]" value="' . esc_attr( $menu_item->url ) . '" />';
 		$output .= '<input type="hidden" class="menu-item-target" name="menu-item[' . $possible_object_id . '][menu-item-target]" value="' . esc_attr( $menu_item->target ) . '" />';
-		$output .= '<input type="hidden" class="menu-item-attr-title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . esc_attr( $menu_item->attr_title ) . '" />';
-		$output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . esc_attr( implode( ' ', $menu_item->classes ) ) . '" />';
-		$output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . esc_attr( $menu_item->xfn ) . '" />';
+		$output .= '<input type="hidden" class="menu-item-attr-title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . htmlspecialchars( $menu_item->attr_title, ENT_QUOTES ) . '" />';
+		$output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . htmlspecialchars( implode( ' ', $menu_item->classes ), ENT_QUOTES ) . '" />';
+		$output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . htmlspecialchars( $menu_item->xfn, ENT_QUOTES ) . '" />';
 	}
 }
diff --git a/src/wp-admin/includes/class-walker-nav-menu-edit.php b/src/wp-admin/includes/class-walker-nav-menu-edit.php
@@ -203,13 +203,13 @@ public function start_el( &$output, $data_object, $depth = 0, $args = null, $cur
 				<p class="description description-wide">
 					<label for="edit-menu-item-title-<?php echo $item_id; ?>">
 						<?php _e( 'Navigation Label' ); ?><br />
-						<input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $menu_item->title ); ?>" />
+						<input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $menu_item->title, ENT_QUOTES ); ?>" />
 					</label>
 				</p>
 				<p class="field-title-attribute field-attr-title description description-wide">
 					<label for="edit-menu-item-attr-title-<?php echo $item_id; ?>">
 						<?php _e( 'Title Attribute' ); ?><br />
-						<input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $menu_item->post_excerpt ); ?>" />
+						<input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $menu_item->post_excerpt, ENT_QUOTES ); ?>" />
 					</label>
 				</p>
 				<p class="field-link-target description">
@@ -222,20 +222,20 @@ public function start_el( &$output, $data_object, $depth = 0, $args = null, $cur
 					<p class="field-css-classes description description-thin">
 						<label for="edit-menu-item-classes-<?php echo $item_id; ?>">
 							<?php _e( 'CSS Classes (optional)' ); ?><br />
-							<input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo esc_attr( implode( ' ', $menu_item->classes ) ); ?>" />
+							<input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( implode( ' ', $menu_item->classes ), ENT_QUOTES ); ?>" />
 						</label>
 					</p>
 					<p class="field-xfn description description-thin">
 						<label for="edit-menu-item-xfn-<?php echo $item_id; ?>">
 							<?php _e( 'Link Relationship (XFN)' ); ?><br />
-							<input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $menu_item->xfn ); ?>" />
+							<input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $menu_item->xfn, ENT_QUOTES ); ?>" />
 						</label>
 					</p>
 				</div>
 				<p class="field-description description description-wide">
 					<label for="edit-menu-item-description-<?php echo $item_id; ?>">
 						<?php _e( 'Description' ); ?><br />
-						<textarea id="edit-menu-item-description-<?php echo $item_id; ?>" class="widefat edit-menu-item-description" rows="3" cols="20" name="menu-item-description[<?php echo $item_id; ?>]"><?php echo esc_html( $menu_item->description ); // textarea_escaped ?></textarea>
+						<textarea id="edit-menu-item-description-<?php echo $item_id; ?>" class="widefat edit-menu-item-description" rows="3" cols="20" name="menu-item-description[<?php echo $item_id; ?>]"><?php echo esc_textarea( $menu_item->description ); // textarea_escaped ?></textarea>
 						<span class="description"><?php _e( 'The description will be displayed in the menu if the active theme supports it.' ); ?></span>
 					</label>
 				</p>
@@ -347,4 +347,4 @@ public function start_el( &$output, $data_object, $depth = 0, $args = null, $cur
 		<?php
 		$output .= ob_get_clean();
 	}
-}
+}
diff --git a/src/wp-admin/includes/file.php b/src/wp-admin/includes/file.php
@@ -1883,6 +1883,11 @@ function _unzip_file_pclzip( $file, $to, $needed_dirs = array() ) {
 			continue;
 		}
 
+		// Don't extract invalid files:
+		if ( 0 !== validate_file( $file['filename'] ) ) {
+			continue;
+		}
+
 		$uncompressed_size += $file['size'];
 
 		$needed_dirs[] = $to . untrailingslashit( $file['folder'] ? $file['filename'] : dirname( $file['filename'] ) );
diff --git a/src/wp-includes/ID3/getid3.lib.php b/src/wp-includes/ID3/getid3.lib.php
@@ -13,9 +13,9 @@
 
 if(!defined('GETID3_LIBXML_OPTIONS') && defined('LIBXML_VERSION')) {
 	if(LIBXML_VERSION >= 20621) {
-		define('GETID3_LIBXML_OPTIONS', LIBXML_NOENT | LIBXML_NONET | LIBXML_NOWARNING | LIBXML_COMPACT);
+		define('GETID3_LIBXML_OPTIONS', LIBXML_NONET | LIBXML_NOWARNING | LIBXML_COMPACT);
 	} else {
-		define('GETID3_LIBXML_OPTIONS', LIBXML_NOENT | LIBXML_NONET | LIBXML_NOWARNING);
+		define('GETID3_LIBXML_OPTIONS', LIBXML_NONET | LIBXML_NOWARNING);
 	}
 }
 
diff --git a/src/wp-includes/class-wp-block-patterns-registry.php b/src/wp-includes/class-wp-block-patterns-registry.php
@@ -173,12 +173,21 @@ private function get_content( $pattern_name, $outside_init_only = false ) {
 		} else {
 			$patterns = &$this->registered_patterns;
 		}
-		if ( ! isset( $patterns[ $pattern_name ]['content'] ) && isset( $patterns[ $pattern_name ]['filePath'] ) ) {
+
+		$pattern_path = realpath( $patterns[ $pattern_name ]['filePath'] ?? '' );
+		if (
+			! isset( $patterns[ $pattern_name ]['content'] ) &&
+			is_string( $pattern_path ) &&
+			( str_ends_with( $pattern_path, '.php' ) || str_ends_with( $pattern_path, '.html' ) ) &&
+			is_file( $pattern_path ) &&
+			is_readable( $pattern_path )
+		) {
 			ob_start();
 			include $patterns[ $pattern_name ]['filePath'];
 			$patterns[ $pattern_name ]['content'] = ob_get_clean();
 			unset( $patterns[ $pattern_name ]['filePath'] );
 		}
+
 		return $patterns[ $pattern_name ]['content'];
 	}
 
diff --git a/src/wp-includes/class-wp-http-ixr-client.php b/src/wp-includes/class-wp-http-ixr-client.php
@@ -89,7 +89,7 @@ public function query( ...$args ) {
 			echo '<pre class="ixr_request">' . htmlspecialchars( $xml ) . "\n</pre>\n\n";
 		}
 
-		$response = wp_remote_post( $url, $args );
+		$response = wp_safe_remote_post( $url, $args );
 
 		if ( is_wp_error( $response ) ) {
 			$errno       = $response->get_error_code();
diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -4555,4 +4555,13 @@ public function get_doctype_info(): ?WP_HTML_Doctype_Info {
 	 * @since 6.7.0
 	 */
 	const TEXT_IS_WHITESPACE = 'TEXT_IS_WHITESPACE';
+
+	/**
+	 * Wakeup magic method.
+	 *
+	 * @since 6.9.2
+	 */
+	public function __wakeup() {
+		throw new \LogicException( __CLASS__ . ' should never be unserialized' );
+	}
 }
diff --git a/src/wp-includes/interactivity-api/class-wp-interactivity-api.php b/src/wp-includes/interactivity-api/class-wp-interactivity-api.php
@@ -818,6 +818,20 @@ private function data_wp_bind_processor( WP_Interactivity_API_Directives_Process
 					return;
 				}
 
+				// Skip if the bound attribute is an event handler.
+				if ( str_starts_with( $bound_attribute, 'on' ) ) {
+					_doing_it_wrong(
+						__METHOD__,
+						sprintf(
+							/* translators: %s: The directive, e.g. data-wp-on--click. */
+							__( 'Binding event handler attributes is not supported. Please use "%s" instead.' ),
+							esc_attr( 'data-wp-on--' . substr( $bound_attribute, 2 ) )
+						),
+						'x.y.z'
+					);
+					continue;
+				}
+
 				$attribute_value = $p->get_attribute( $attribute_name );
 				$result          = $this->evaluate( $attribute_value );
 
diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
@@ -1962,8 +1962,8 @@ function wp_kses_normalize_entities( $content, $context = 'html' ) {
 	} else {
 		$content = preg_replace_callback( '/&amp;([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $content );
 	}
-	$content = preg_replace_callback( '/&amp;#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $content );
-	$content = preg_replace_callback( '/&amp;#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $content );
+	$content = preg_replace_callback( '/&amp;#(0*[1-9][0-9]{0,6});/', 'wp_kses_normalize_entities2', $content );
+	$content = preg_replace_callback( '/&amp;#[Xx](0*[1-9A-Fa-f][0-9A-Fa-f]{0,5});/', 'wp_kses_normalize_entities3', $content );
 
 	return $content;
 }
diff --git a/src/wp-includes/media.php b/src/wp-includes/media.php
@@ -4520,7 +4520,7 @@ function wp_prepare_attachment_for_js( $attachment ) {
 
 	if ( $attachment->post_parent ) {
 		$post_parent = get_post( $attachment->post_parent );
-		if ( $post_parent ) {
+		if ( $post_parent && current_user_can( 'read_post', $attachment->post_parent ) ) {
 			$response['uploadedToTitle'] = $post_parent->post_title ? $post_parent->post_title : __( '(no title)' );
 			$response['uploadedToLink']  = get_edit_post_link( $attachment->post_parent, 'raw' );
 		}
diff --git a/src/wp-includes/nav-menu.php b/src/wp-includes/nav-menu.php
@@ -514,7 +514,7 @@ function wp_update_nav_menu_item( $menu_id = 0, $menu_item_db_id = 0, $menu_item
 			}
 		}
 
-		if ( wp_unslash( $args['menu-item-title'] ) === wp_specialchars_decode( $original_title ) ) {
+		if ( wp_unslash( $args['menu-item-title'] ) === $original_title ) {
 			$args['menu-item-title'] = '';
 		}
 
diff --git a/src/wp-includes/template-loader.php b/src/wp-includes/template-loader.php
@@ -102,7 +102,13 @@
 	 * @param string $template The path of the template to include.
 	 */
 	$template = apply_filters( 'template_include', $template );
-	if ( $template ) {
+	$template = is_string( $template ) ? realpath( $template ) : null;
+	if (
+		is_string( $template ) &&
+		( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) &&
+		is_file( $template ) &&
+		is_readable( $template )
+	) {
 		include $template;
 	} elseif ( current_user_can( 'switch_themes' ) ) {
 		$theme = wp_get_theme();
diff --git a/tests/phpunit/tests/post/nav-menu.php b/tests/phpunit/tests/post/nav-menu.php
@@ -1188,6 +1188,8 @@ public function test_wp_update_nav_menu_item_with_special_characters_in_category
 			)
 		);
 
+		$this->assertSame( 'Test Cat - "Pre-Slashed" Cat Name &amp; &gt;', $category->name );
+
 		$category_item_id = wp_update_nav_menu_item(
 			$this->menu_id,
 			0,
@@ -1196,11 +1198,7 @@ public function test_wp_update_nav_menu_item_with_special_characters_in_category
 				'menu-item-object'    => 'category',
 				'menu-item-object-id' => $category->term_id,
 				'menu-item-status'    => 'publish',
-				/*
-				 * Interestingly enough, if we use `$cat->name` for the menu item title,
-				 * we won't be able to replicate the bug because it's in htmlentities form.
-				 */
-				'menu-item-title'     => $category_name,
+				'menu-item-title'     => $category->name,
 			)
 		);
 

Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,9 @@`
`13`	`13`
`14`	`14`	`if(!defined('GETID3_LIBXML_OPTIONS') && defined('LIBXML_VERSION')) {`
`15`	`15`	`if(LIBXML_VERSION >= 20621) {`
`16`		`- define('GETID3_LIBXML_OPTIONS', LIBXML_NOENT \| LIBXML_NONET \| LIBXML_NOWARNING \| LIBXML_COMPACT);`
	`16`	`+ define('GETID3_LIBXML_OPTIONS', LIBXML_NONET \| LIBXML_NOWARNING \| LIBXML_COMPACT);`
`17`	`17`	`} else {`
`18`		`- define('GETID3_LIBXML_OPTIONS', LIBXML_NOENT \| LIBXML_NONET \| LIBXML_NOWARNING);`
	`18`	`+ define('GETID3_LIBXML_OPTIONS', LIBXML_NONET \| LIBXML_NOWARNING);`
`19`	`19`	`}`
`20`	`20`	`}`
`21`	`21`
Original file line number	Diff line number	Diff line change
`@@ -89,7 +89,7 @@ public function query( ...$args ) {`
`89`	`89`	`echo '<pre class="ixr_request">' . htmlspecialchars( $xml ) . "\n</pre>\n\n";`
`90`	`90`	`}`
`91`	`91`
`92`		`- $response = wp_remote_post( $url, $args );`
	`92`	`+ $response = wp_safe_remote_post( $url, $args );`
`93`	`93`
`94`	`94`	`if ( is_wp_error( $response ) ) {`
`95`	`95`	`$errno = $response->get_error_code();`
Original file line number	Diff line number	Diff line change
`@@ -1962,8 +1962,8 @@ function wp_kses_normalize_entities( $content, $context = 'html' ) {`
`1962`	`1962`	`} else {`
`1963`	`1963`	`$content = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $content );`
`1964`	`1964`	`}`
`1965`		`- $content = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $content );`
`1966`		`- $content = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $content );`
	`1965`	`+ $content = preg_replace_callback( '/&#(0*[1-9][0-9]{0,6});/', 'wp_kses_normalize_entities2', $content );`
	`1966`	`+ $content = preg_replace_callback( '/&#[Xx](0*[1-9A-Fa-f][0-9A-Fa-f]{0,5});/', 'wp_kses_normalize_entities3', $content );`
`1967`	`1967`
`1968`	`1968`	`return $content;`
`1969`	`1969`	`}`