Ticket #16188: 16188.linking.diff

wp-includes/js/tinymce/plugins/wplink/js/wplink.dev.js

@@ -433 +433 @@
                         var self = this,
                                 query = {
                                         action : 'wp-link-ajax',
-                                        page : this.page
+                                        page : this.page,
+                                        '_ajax_linking_nonce' : $('#_ajax_linking_nonce').val()
                                 };
 
                         if ( this.search )

wp-admin/admin-ajax.php

@@ -1089 +1089 @@
 case 'wp-link-ajax':
         require_once ABSPATH . 'wp-admin/includes/internal-linking.php';
 
+        check_ajax_referer( 'internal-linking', '_ajax_linking_nonce' );
+
         $args = array();
 
         if ( isset( $_POST['search'] ) )

wp-admin/includes/internal-linking.php

@@ -71 +71 @@
 function wp_link_dialog() {
 ?>
 <form id="wp-link" tabindex="-1">
+<?php wp_nonce_field( 'internal-linking', '_ajax_linking_nonce', false ); ?>
 <div id="link-selector">
         <div id="link-options">
                 <p class="howto"><?php _e( 'Enter the destination URL' ); ?></p>