Validate file name and sanitize path after the filters and before the inclusion.

[widoz]

In order to prevent third party code to hook and edit in wrong way the path for the template file I think a validation/sanitization may be useful for the path.

Also, we should be sure that the path belong to the wp-content/plugins or wp-content/themes/{current-active-theme} or the parent theme.

[widoz]

Also, I was thinking that making a validation/sanitization with the path may help us to remove the file_exists check (so we don't access to the file system) instead, we can compare the original path and the sanitized one, if them are different we throw an exception.

I think if the file that we are trying to include doesn't exists, it's a problem, probably we shouldn't call the template loader if we are not sure the file exists.

In this case we can leave third party code to make the check or not.