Customize: Sanitize autofocus URL parameter as an array.

[58069] introduced calling `sanitize_text_field()` with `$_REQUEST['autofocus']` (which is an array) and setting its default to a `string`. This fix restores the `array` data type for `autofocus`. The fix also relocates the unsplash for `url`, `return`, and `autofocus` before sanitizing. Follow-up to [58069], [34269], [29026], [21028]. Props jamesros161, swissspidy, dlh, audrasjb, hellofromTonya, ironprogrammer. Fixes #61561. git-svn-id: https://develop.svn.wordpress.org/trunk@58804 602fd350-edb4-49c9-b593-d223f7449a82
dmsnell · Jul 24, 2024 · 881ac87 · 881ac87
1 parent edcd7d2
commit 881ac87
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/src/wp-admin/customize.php b/src/wp-admin/customize.php
@@ -84,18 +84,20 @@
 	}
 }
 
-$url       = ! empty( $_REQUEST['url'] ) ? sanitize_text_field( $_REQUEST['url'] ) : '';
-$return    = ! empty( $_REQUEST['return'] ) ? sanitize_text_field( $_REQUEST['return'] ) : '';
-$autofocus = ! empty( $_REQUEST['autofocus'] ) ? sanitize_text_field( $_REQUEST['autofocus'] ) : '';
+$url       = ! empty( $_REQUEST['url'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['url'] ) ) : '';
+$return    = ! empty( $_REQUEST['return'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['return'] ) ) : '';
+$autofocus = ! empty( $_REQUEST['autofocus'] ) && is_array( $_REQUEST['autofocus'] )
+	? array_map( 'sanitize_text_field', wp_unslash( $_REQUEST['autofocus'] ) )
+	: array();
 
 if ( ! empty( $url ) ) {
-	$wp_customize->set_preview_url( wp_unslash( $url ) );
+	$wp_customize->set_preview_url( $url );
 }
 if ( ! empty( $return ) ) {
-	$wp_customize->set_return_url( wp_unslash( $return ) );
+	$wp_customize->set_return_url( $return );
 }
-if ( ! empty( $autofocus ) && is_array( $autofocus ) ) {
-	$wp_customize->set_autofocus( wp_unslash( $autofocus ) );
+if ( ! empty( $autofocus ) ) {
+	$wp_customize->set_autofocus( $autofocus );
 }
 
 $registered             = $wp_scripts->registered;