--- a/wp/wp-admin/network/site-users.php Tue Dec 15 15:52:01 2020 +0100
+++ b/wp/wp-admin/network/site-users.php Wed Sep 21 18:19:35 2022 +0200
@@ -35,7 +35,7 @@
$referer = add_query_arg( 'paged', (int) $_REQUEST['paged'], $referer );
}
-$id = isset( $_REQUEST['id'] ) ? intval( $_REQUEST['id'] ) : 0;
+$id = isset( $_REQUEST['id'] ) ? (int) $_REQUEST['id'] : 0;
if ( ! $id ) {
wp_die( __( 'Invalid site ID.' ) );
@@ -140,12 +140,7 @@
case 'promote':
check_admin_referer( 'bulk-users' );
$editable_roles = get_editable_roles();
- $role = false;
- if ( ! empty( $_REQUEST['new_role2'] ) ) {
- $role = $_REQUEST['new_role2'];
- } elseif ( ! empty( $_REQUEST['new_role'] ) ) {
- $role = $_REQUEST['new_role'];
- }
+ $role = $_REQUEST['new_role'];
if ( empty( $editable_roles[ $role ] ) ) {
wp_die( __( 'Sorry, you are not allowed to give users that role.' ), 403 );
@@ -220,7 +215,7 @@
require_once ABSPATH . 'wp-admin/admin-header.php'; ?>
<script type="text/javascript">
-var current_site_id = <?php echo $id; ?>;
+var current_site_id = <?php echo absint( $id ); ?>;
</script>
@@ -335,7 +330,7 @@
if ( current_user_can( 'create_users' ) && apply_filters( 'show_network_site_users_add_new_form', true ) ) :
?>
<h2 id="add-new-user"><?php _e( 'Add New User' ); ?></h2>
-<form action="<?php echo network_admin_url( 'site-users.php?action=newuser' ); ?>" id="newuser" method="post">
+<form action="<?php echo esc_url( network_admin_url( 'site-users.php?action=newuser' ) ); ?>" id="newuser" method="post">
<input type="hidden" name="id" value="<?php echo esc_attr( $id ); ?>" />
<table class="form-table" role="presentation">
<tr>