Ajax Update theme error with slug contain slash

It’s customary to unslash all data from $_POST, which comes through with escaped slashes but typically would confuse the handling of strings where unslashed data is expected. Only backslashes added in a prior escaping process are stripped, not the forward slash used in *nix paths. If any data originally contained a backslash, it would have become a double backslash when escaped, such that when unslashed the original remains intact.

Hello,

Yes it’s right for wp_unslash but on the line 4114 the regular expression strip forward slash

$stylesheet = preg_replace( '/[^A-z0-9_\-]/', '', wp_unslash( $_POST['slug'] ) );

The function wp_get_theme called by ajax request on update theme accepted param stylesheet and this function create a instance of class WP_Theme with first param stylesheet but the first param of the class WP_Theme is describe to accepted directory (https://developer.www.ads-software.com/reference/classes/wp_theme/__construct/)

So why is the forward slash removed?
This is confusing.

Slugs can only contain the characters A-z0-9_-. Any slash in a slug is inappropriate.

Yes a slug cannot contain a slash or other special character.
But in this case it is not a slug it is a stylesheet so it is a directory and directory can contains forward slash.

I see. Sorry, I’ve had “theme slug” from the OP lurking in my head ?? We shouldn’t be moving style.css from where it belongs. We can leave it empty (except the header comment) and enqueue whatever other stylesheets in theme subfolders, but style.css belongs in in the root theme folder. Thus the other enqueued sheets can act like alternative default stylesheets, but style.css stays where it belongs.