diff -r 3d4e9c994f10 -r a86126ab1dd4 wp/wp-admin/load-styles.php
--- a/wp/wp-admin/load-styles.php	Tue Oct 22 16:11:46 2019 +0200
+++ b/wp/wp-admin/load-styles.php	Tue Dec 15 13:49:49 2020 +0100
@@ -9,40 +9,44 @@
 
 /** Set ABSPATH for execution */
 if ( ! defined( 'ABSPATH' ) ) {
-	define( 'ABSPATH', dirname( dirname( __FILE__ ) ) . '/' );
+	define( 'ABSPATH', dirname( __DIR__ ) . '/' );
 }
 
 define( 'WPINC', 'wp-includes' );
 
-require( ABSPATH . 'wp-admin/includes/noop.php' );
-require( ABSPATH . WPINC . '/script-loader.php' );
-require( ABSPATH . WPINC . '/version.php' );
+require ABSPATH . 'wp-admin/includes/noop.php';
+require ABSPATH . WPINC . '/script-loader.php';
+require ABSPATH . WPINC . '/version.php';
+
+$protocol = $_SERVER['SERVER_PROTOCOL'];
+if ( ! in_array( $protocol, array( 'HTTP/1.1', 'HTTP/2', 'HTTP/2.0' ), true ) ) {
+	$protocol = 'HTTP/1.0';
+}
 
 $load = $_GET['load'];
 if ( is_array( $load ) ) {
+	ksort( $load );
 	$load = implode( '', $load );
 }
+
 $load = preg_replace( '/[^a-z0-9,_-]+/i', '', $load );
 $load = array_unique( explode( ',', $load ) );
 
 if ( empty( $load ) ) {
+	header( "$protocol 400 Bad Request" );
 	exit;
 }
 
-$rtl            = ( isset( $_GET['dir'] ) && 'rtl' == $_GET['dir'] );
-$expires_offset = 31536000; // 1 year
+$rtl            = ( isset( $_GET['dir'] ) && 'rtl' === $_GET['dir'] );
+$expires_offset = 31536000; // 1 year.
 $out            = '';
 
 $wp_styles = new WP_Styles();
 wp_default_styles( $wp_styles );
 
 if ( isset( $_SERVER['HTTP_IF_NONE_MATCH'] ) && stripslashes( $_SERVER['HTTP_IF_NONE_MATCH'] ) === $wp_version ) {
-	$protocol = $_SERVER['SERVER_PROTOCOL'];
-	if ( ! in_array( $protocol, array( 'HTTP/1.1', 'HTTP/2', 'HTTP/2.0' ) ) ) {
-		$protocol = 'HTTP/1.0';
-	}
 	header( "$protocol 304 Not Modified" );
-	exit();
+	exit;
 }
 
 foreach ( $load as $handle ) {