From 7d57ca6c2cf1bc19506245d2afa01bd8b8b71098 Mon Sep 17 00:00:00 2001
From: Scott Taylor <scott.c.taylor@mac.com>
Date: Thu, 27 Feb 2014 15:20:14 +0000
Subject: [PATCH] Add some security hardening to passed playlist attributes.

Props xknown.
See #26631.


Built from https://develop.svn.wordpress.org/trunk@27311


git-svn-id: http://core.svn.wordpress.org/trunk@27164 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/media.php | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/wp-includes/media.php b/wp-includes/media.php
index 62c124aaa9..e750cc7562 100644
--- a/wp-includes/media.php
+++ b/wp-includes/media.php
@@ -1013,6 +1013,10 @@ function wp_get_playlist( $attr, $type ) {
 		$orderby = 'none';
 	}
 
+	if ( ! in_array( $style, array( 'light', 'dark' ), true ) ) {
+		$style = 'light';
+	}
+
 	$args = array(
 		'post_status' => 'inherit',
 		'post_type' => 'attachment',
@@ -1113,13 +1117,16 @@ function wp_get_playlist( $attr, $type ) {
 	}
 	$data['tracks'] = $tracks;
 
+	$safe_type = esc_attr( $safe_type );
+	$safe_style = esc_attr( $style );
+
 	ob_start();
 
 	if ( 1 === $instance ):
 		wp_enqueue_style( 'wp-mediaelement' );
 		wp_enqueue_script( 'wp-playlist' );
 ?>
-<!--[if lt IE 9]><script>document.createElement('<?php echo $type ?>');</script><![endif]-->
+<!--[if lt IE 9]><script>document.createElement('<?php echo esc_js( $type ) ?>');</script><![endif]-->
 <script type="text/html" id="tmpl-wp-playlist-current-item">
 	<# if ( data.image ) { #>
 	<img src="{{{ data.thumb.src }}}"/>
@@ -1154,11 +1161,11 @@ function wp_get_playlist( $attr, $type ) {
 	</div>
 </script>
 	<?php endif ?>
-<div class="wp-playlist wp-<?php echo $type ?>-playlist wp-playlist-<?php echo $style ?>">
+<div class="wp-playlist wp-<?php echo $safe_type ?>-playlist wp-playlist-<?php echo $safe_style ?>">
 	<?php if ( 'audio' === $type ): ?>
 	<div class="wp-playlist-current-item"></div>
 	<?php endif ?>
-	<<?php echo $type ?> controls="controls" preload="metadata" width="<?php echo $theme_width ?>"></<?php echo $type ?>>
+	<<?php echo $safe_type ?> controls="controls" preload="metadata" width="<?php echo (int) $theme_width ?>"></<?php echo $safe_type ?>>
 	<div class="wp-playlist-next"></div>
 	<div class="wp-playlist-prev"></div>
 	<noscript>
@@ -2594,4 +2601,4 @@ function theme_supports_thumbnails( $post ) {
 	}
 
 	return current_theme_supports( 'post-thumbnails', $post->post_type );
-}
\ No newline at end of file
+}