WordPress.org

Make WordPress Core

Ticket #14336: garyc40.14336.diff

File garyc40.14336.diff, 3.8 KB (added by garyc40, 10 years ago)

properly send the correct nonce for each comment being edited or replied to

  • wp-admin/includes/class-wp-comments-list-table.php

    diff --git wp-admin/includes/class-wp-comments-list-table.php wp-admin/includes/class-wp-comments-list-table.php
    index 51d1f3d..46591d5 100644
    class WP_Comments_List_Table extends WP_List_Table { 
    2020        var $checkbox = true;
    2121
    2222        var $pending_count = array();
     23       
     24        var $comment_reply_nonces = array();
    2325
    2426        function WP_Comments_List_Table() {
    2527                global $post_id;
    class WP_Comments_List_Table extends WP_List_Table { 
    295297                <?php $this->items = $this->extra_items; $this->display_rows(); ?>
    296298        </tbody>
    297299</table>
     300<script type="text/javascript">
     301//<![CDATA[
     302var commentReplyNonces = <?php echo json_encode( $this->comment_reply_nonces ); ?>;
     303//]]>
     304</script>
    298305<?php
    299306
    300307                $this->display_tablenav( 'bottom' );
    class WP_Comments_List_Table extends WP_List_Table { 
    309316                $post = get_post( $comment->comment_post_ID );
    310317
    311318                $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID );
    312 
     319               
     320                if ( empty( $this->comment_reply_nonces[$comment->comment_post_ID] ) )
     321                        $this->comment_reply_nonces[$comment->comment_post_ID] = wp_create_nonce( 'unfiltered-html-comment_' . $comment->comment_post_ID );
     322               
    313323                echo "<tr id='comment-$comment->comment_ID' class='$the_comment_status'>";
    314324                echo $this->single_row_columns( $comment );
    315325                echo "</tr>";
  • wp-admin/includes/dashboard.php

    diff --git wp-admin/includes/dashboard.php wp-admin/includes/dashboard.php
    index 8f937f3..48937cc 100644
    function wp_dashboard_recent_comments() { 
    621621                $start = $start + 50;
    622622        }
    623623
    624         if ( $comments ) :
     624        if ( $comments ) : $comment_reply_nonces = array();
    625625?>
    626 
    627626                <div id="the-comment-list" class="list:comment">
    628627<?php
    629628                foreach ( $comments as $comment )
    630                         _wp_dashboard_recent_comments_row( $comment );
     629                        _wp_dashboard_recent_comments_row( $comment, true, $comment_reply_nonces );
    631630?>
    632631
    633632                </div>
    634 
     633                <script type="text/javascript">
     634                //<![CDATA[
     635                var commentReplyNonces = <?php echo json_encode( $comment_reply_nonces ); ?>;
     636                //]]>
     637                </script>
    635638<?php
    636639                if ( current_user_can('edit_posts') ) { ?>
    637640                        <p class="textright"><a href="edit-comments.php" class="button"><?php _e('View all'); ?></a></p>
    function wp_dashboard_recent_comments() { 
    649652        endif; // $comments;
    650653}
    651654
    652 function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
     655function _wp_dashboard_recent_comments_row( &$comment, $show_date = true, &$comment_reply_nonces = false ) {
    653656        $GLOBALS['comment'] =& $comment;
    654657
    655658        $comment_post_url = get_edit_post_link( $comment->comment_post_ID );
    656659        $comment_post_title = strip_tags(get_the_title( $comment->comment_post_ID ));
    657660        $comment_post_link = "<a href='$comment_post_url'>$comment_post_title</a>";
    658661        $comment_link = '<a class="comment-link" href="' . esc_url(get_comment_link()) . '">#</a>';
    659 
     662       
     663        if ( $comment_reply_nonces !== false && empty( $comment_reply_nonces[$comment->comment_post_ID] ) )
     664                $comment_reply_nonces[$comment->comment_post_ID] = wp_create_nonce( 'unfiltered-html-comment_' . $comment->comment_post_ID );
     665               
    660666        $actions_string = '';
    661667        if ( current_user_can( 'edit_comment', $comment->comment_ID ) ) {
    662668                // preorder it: Approve | Reply | Edit | Spam | Trash
  • wp-admin/js/edit-comments.dev.js

    diff --git wp-admin/js/edit-comments.dev.js wp-admin/js/edit-comments.dev.js
    index fbadeba..cec558e 100644
    commentReply = { 
    366366                $('#action', editRow).val(act);
    367367                $('#comment_post_ID', editRow).val(p);
    368368                $('#comment_ID', editRow).val(id);
     369                $('#_wp_unfiltered_html_comment', editRow).val(commentReplyNonces[p]);
    369370
    370371                if ( a == 'edit' ) {
    371372                        $('#author', editRow).val( $('div.author', rowData).text() );