Always URL-encode a stylesheet directory value before using it in a URL. These situations are saved by wp_nonce_url(), but we should not depend on that. see #21749, for trunk only.

git-svn-id: http://core.svn.wordpress.org/trunk@21755 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/includes/class-wp-themes-list-table.php

@@ -143,7 +143,7 @@ class WP_Themes_List_Table extends WP_List_Table {
 					. __( 'Live Preview' ) . '</a>';
 
 			if ( ! is_multisite() && current_user_can( 'delete_themes' ) )
-				$actions['delete'] = '<a class="submitdelete deletion" href="' . wp_nonce_url( "themes.php?action=delete&amp;stylesheet=$stylesheet", 'delete-theme_' . $stylesheet )
+				$actions['delete'] = '<a class="submitdelete deletion" href="' . wp_nonce_url( 'themes.php?action=delete&amp;stylesheet=' . urlencode( $stylesheet ), 'delete-theme_' . $stylesheet )
 					. '" onclick="' . "return confirm( '" . esc_js( sprintf( __( "You are about to delete this theme '%s'\n  'Cancel' to stop, 'OK' to delete." ), $title ) )
 					. "' );" . '">' . __( 'Delete' ) . '</a>';