Ticket #2734: 2734b.diff
| File 2734b.diff, 32.0 KB (added by , 20 years ago) |
|---|
-
wp-includes/pluggable-functions.php
236 236 !(-1 == $action && strstr($referer, $adminurl)) ) { 237 237 if ( $referer ) 238 238 $adminurl = $referer; 239 if ( $action !== -1 && preg_match('/([a-z]+)-([a-z]+)(_(.+))?/', $action, $matches) ) { 240 $verbs = array( 241 'add' => __('add'), 242 'delete' => __('delete'), 243 'update' => __('update'), 244 'edit' => __('edit'), 245 'approve' => __('approve'), 246 'unapprove' => __('unapprove'), 247 'moderate' => __('moderate'), 248 'activate' => __('activate'), 249 'deactivate' => __('deactivate'), 250 'import' => __('import'), 251 'switch' => __('switch to') 252 ); 253 if ( isset($verbs[$matches[1]]) ) 254 $verb = $verbs[$matches[1]]; 255 $nouns = array( 256 'category' => array(__('this category'), 'get_catname'), 257 'comment' => array(__('this comment'), false), 258 'comments' => array(__('these comments'), false), 259 'bookmark' => array(__('this bookmark'), false), 260 'bookmarks' => array(__('these bookmarks'), false), 261 'permalink' => array(__('the permalink structure'), false), 262 'options' => array(__('these options'), false), 263 'post' => array(__('this post'), 'get_the_title'), 264 'page' => array(__('this page'), 'get_the_title'), 265 'attachment' => array(__('the attachments on'), 'get_the_title'), 266 'plugin' => array(__('this plugin'), false), 267 'profile' => array(__('this user'), 'get_author_name'), 268 'user' => array(__('this user'), 'get_author_name'), 269 'users' => array(__('these users'), false), 270 'file' => array(__('this file'), false), 271 'theme' => array(__('this theme'), false) 272 ); 273 if ( isset($nouns[$matches[2]]) ) { 274 $noun = $nouns[$matches[2]][0]; 275 $name = ( isset($matches[4]) && function_exists($nouns[$matches[2]][1]) ) ? call_user_func($nouns[$matches[2]][1], $matches[4]) : false; 276 } 277 } 278 if ( $name && $noun && $verb ) 279 $ays = sprintf(__('Are you sure you want to %s %s: "%s"?'), $verb, $noun, $name); 280 elseif ( $noun && $verb ) 281 $ays = sprintf(__('Are you sure you want to %s %s?'), $verb, $noun); 282 else 283 $ays = __('Are you sure you want to do this'); 239 284 $title = __('WordPress Confirmation'); 240 285 require_once(ABSPATH . '/wp-admin/admin-header.php'); 241 286 if ( $_POST ) { … … 248 293 $html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n"; 249 294 } 250 295 $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n"; 251 $html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p> " . __('Are you sure you want to do this?') . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";296 $html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>$ays</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n"; 252 297 } else { 253 $html .= "\t<div id='message' class='confirm fade'>\n\t<p> " . __('Are you sure you want to do this?') . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";298 $html .= "\t<div id='message' class='confirm fade'>\n\t<p>$ays</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n\t</div>\n"; 254 299 } 255 300 $html .= "</body>\n</html>"; 256 301 echo $html; -
wp-admin/edit-comments.php
119 119 <?php 120 120 if ( current_user_can('edit_post', $comment->comment_post_ID) ) { 121 121 echo " <a href='comment.php?action=editcomment&comment=".$comment->comment_ID."\'>" . __('Edit') . '</a>'; 122 echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment ' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), js_escape($comment->comment_author)) . "' );\">" . __('Delete') . '</a> ';122 echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), js_escape($comment->comment_author)) . "' );\">" . __('Delete') . '</a> '; 123 123 if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) { 124 echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment ' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';125 echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment ' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';124 echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment_' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>'; 125 echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment_' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>'; 126 126 } 127 echo " | <a href=\" comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), js_escape( $comment->comment_author)) . "' );\">" . __('Spam') . "</a> ";127 echo " | <a href=\"" . wp_nonce_url("comment.php?action=deletecomment&delete_type=spam&p=" . $comment->comment_post_ID . "&comment=" . $comment->comment_ID", 'delete-comment_' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), js_escape( $comment->comment_author)) . "' );\">" . __('Spam') . "</a> "; 128 128 } 129 129 $post = get_post($comment->comment_post_ID); 130 130 $post_title = wp_specialchars( $post->post_title, 'double' ); -
wp-admin/profile-update.php
4 4 $submenu_file = 'profile.php'; 5 5 require_once('admin.php'); 6 6 7 check_admin_referer('update-profile ' . $user_ID);7 check_admin_referer('update-profile_' . $user_ID); 8 8 9 9 if ( !$_POST ) 10 10 die( __('No post?') ); -
wp-admin/post.php
82 82 case 'editattachment': 83 83 $post_id = (int) $_POST['post_ID']; 84 84 85 check_admin_referer('update-attachment ' . $post_id);85 check_admin_referer('update-attachment_' . $post_id); 86 86 87 87 // Don't let these be changed 88 88 unset($_POST['guid']); … … 99 99 100 100 case 'editpost': 101 101 $post_ID = (int) $_POST['post_ID']; 102 check_admin_referer('update-post ' . $post_ID);102 check_admin_referer('update-post_' . $post_ID); 103 103 104 104 $post_ID = edit_post(); 105 105 … … 125 125 126 126 case 'delete': 127 127 $post_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']); 128 check_admin_referer('delete-post ' . $post_id);128 check_admin_referer('delete-post_' . $post_id); 129 129 130 130 $post = & get_post($post_id); 131 131 -
wp-admin/theme-editor.php
47 47 48 48 case 'update': 49 49 50 check_admin_referer('edit-theme ' . $file . $theme);50 check_admin_referer('edit-theme_' . $file . $theme); 51 51 52 52 if ( !current_user_can('edit_themes') ) 53 53 die('<p>'.__('You have do not have sufficient permissions to edit templates for this blog.').'</p>'); … … 131 131 if (!$error) { 132 132 ?> 133 133 <form name="template" id="template" action="theme-editor.php" method="post"> 134 <?php wp_nonce_field('edit-theme ' . $file . $theme) ?>134 <?php wp_nonce_field('edit-theme_' . $file . $theme) ?> 135 135 <div><textarea cols="70" rows="25" name="newcontent" id="newcontent" tabindex="1"><?php echo $content ?></textarea> 136 136 <input type="hidden" name="action" value="update" /> 137 137 <input type="hidden" name="file" value="<?php echo $file ?>" /> -
wp-admin/templates.php
36 36 37 37 case 'update': 38 38 39 check_admin_referer('edit-file ' . $file);39 check_admin_referer('edit-file_' . $file); 40 40 41 41 if ( ! current_user_can('edit_files') ) 42 42 die('<p>'.__('You do not have sufficient permissions to edit templates for this blog.').'</p>'); … … 128 128 </div> 129 129 <?php if (!$error) { ?> 130 130 <form name="template" id="template" action="templates.php" method="post"> 131 <?php wp_nonce_field('edit-file ' . $file) ?>131 <?php wp_nonce_field('edit-file_' . $file) ?> 132 132 <div><textarea cols="70" rows="25" name="newcontent" id='newcontent' tabindex="1"><?php echo $content ?></textarea> 133 133 <input type="hidden" name="action" value="update" /> 134 134 <input type="hidden" name="file" value="<?php echo $file ?>" /> -
wp-admin/admin-functions.php
656 656 $default_link_cat_id = get_option('default_link_category'); 657 657 658 658 if ( ($category->cat_ID != $default_cat_id) && ($category->cat_ID != $default_link_cat_id) ) 659 $edit .= "<td><a href='" . wp_nonce_url("categories.php?action=delete&cat_ID=$category->cat_ID", 'delete-category ' . $category->cat_ID ) . "' onclick=\"return deleteSomething( 'cat', $category->cat_ID, '" . sprintf(__("You are about to delete the category "%s".\\nAll of its posts will go into the default category of "%s"\\nAll of its bookmarks will go into the default category of "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes($category->cat_name), js_escape(get_catname($default_cat_id)), js_escape(get_catname($default_link_cat_id))) . "' );\" class='delete'>".__('Delete')."</a>";659 $edit .= "<td><a href='" . wp_nonce_url("categories.php?action=delete&cat_ID=$category->cat_ID", 'delete-category_' . $category->cat_ID ) . "' onclick=\"return deleteSomething( 'cat', $category->cat_ID, '" . sprintf(__("You are about to delete the category "%s".\\nAll of its posts will go into the default category of "%s"\\nAll of its bookmarks will go into the default category of "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes($category->cat_name), js_escape(get_catname($default_cat_id)), js_escape(get_catname($default_link_cat_id))) . "' );\" class='delete'>".__('Delete')."</a>"; 660 660 else 661 661 $edit .= "<td style='text-align:center'>".__("Default"); 662 662 } … … 709 709 <td><?php echo mysql2date('Y-m-d g:i a', $post->post_modified); ?></td> 710 710 <td><a href="<?php the_permalink(); ?>" rel="permalink" class="edit"><?php _e('View'); ?></a></td> 711 711 <td><?php if ( current_user_can('edit_page', $id) ) { echo "<a href='page.php?action=edit&post=$id' class='edit'>" . __('Edit') . "</a>"; } ?></td> 712 <td><?php if ( current_user_can('edit_page', $id) ) { echo "<a href='" . wp_nonce_url("page.php?action=delete&post=$id", 'delete-page ' . $id) . "' class='delete' onclick=\"return deleteSomething( 'page', " . $id . ", '" . sprintf(__("You are about to delete the "%s" page.\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>712 <td><?php if ( current_user_can('edit_page', $id) ) { echo "<a href='" . wp_nonce_url("page.php?action=delete&post=$id", 'delete-page_' . $id) . "' class='delete' onclick=\"return deleteSomething( 'page', " . $id . ", '" . sprintf(__("You are about to delete the "%s" page.\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td> 713 713 </tr> 714 714 715 715 <?php -
wp-admin/edit-page-form.php
10 10 $form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />"; 11 11 } else { 12 12 $form_action = 'editpost'; 13 $nonce_action = 'update-page ' . $post_ID;13 $nonce_action = 'update-page_' . $post_ID; 14 14 $form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />"; 15 15 } 16 16 -
wp-admin/comment.php
51 51 $comment = (int) $_GET['comment']; 52 52 $p = (int) $_GET['p']; 53 53 $formaction = 'confirmdeletecomment' == $action ? 'deletecomment' : 'approvecomment'; 54 $nonce_action = 'confirmdeletecomment' == $action ? 'delete-comment ' : 'approve-comment';54 $nonce_action = 'confirmdeletecomment' == $action ? 'delete-comment_' : 'approve-comment_'; 55 55 $nonce_action .= $comment; 56 56 57 57 if ( ! $comment = get_comment($comment) ) … … 93 93 94 94 case 'deletecomment': 95 95 $comment = (int) $_REQUEST['comment']; 96 check_admin_referer('delete-comment ' . $comment);96 check_admin_referer('delete-comment_' . $comment); 97 97 98 98 $p = (int) $_REQUEST['p']; 99 99 if ( isset($_REQUEST['noredir']) ) { … … 126 126 127 127 case 'unapprovecomment': 128 128 $comment = (int) $_GET['comment']; 129 check_admin_referer('unapprove-comment ' . $comment);129 check_admin_referer('unapprove-comment_' . $comment); 130 130 131 131 $p = (int) $_GET['p']; 132 132 if (isset($_GET['noredir'])) { … … 153 153 154 154 case 'approvecomment': 155 155 $comment = (int) $_GET['comment']; 156 check_admin_referer('approve-comment ' . $comment);156 check_admin_referer('approve-comment_' . $comment); 157 157 158 158 $p = (int) $_GET['p']; 159 159 if (isset($_GET['noredir'])) { -
wp-admin/edit-link-form.php
3 3 $heading = __('Edit Bookmark'); 4 4 $submit_text = __('Save Changes »'); 5 5 $form = '<form name="editlink" id="editlink" method="post" action="link.php">'; 6 $nonce_action = 'update-bookmark ' . $link_id;6 $nonce_action = 'update-bookmark_' . $link_id; 7 7 } else { 8 8 $heading = __('Create Bookmark'); 9 9 $submit_text = __('Add Bookmark »'); -
wp-admin/edit-form-advanced.php
26 26 } else { 27 27 $form_action = 'editpost'; 28 28 $form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />"; 29 wp_nonce_field('update-post ' . $post_ID);29 wp_nonce_field('update-post_' . $post_ID); 30 30 } 31 31 32 32 $form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />'; … … 220 220 221 221 </div> 222 222 223 <?php if ('edit' == $action) : $delete_nonce = wp_create_nonce( 'delete-post ' . $post_ID ); ?>223 <?php if ('edit' == $action) : $delete_nonce = wp_create_nonce( 'delete-post_' . $post_ID ); ?> 224 224 <input name="deletepost" class="button" type="submit" id="deletepost" tabindex="10" value="<?php _e('Delete this post') ?>" <?php echo "onclick=\"if ( confirm('" . sprintf(__("You are about to delete this post \'%s\'\\n \'Cancel\' to stop, \'OK\' to delete."), addslashes($post->post_title) ) . "') ) { document.forms.post._wpnonce.value = '$delete_nonce'; return true;}\""; ?> /> 225 225 <?php endif; ?> 226 226 -
wp-admin/plugins.php
3 3 4 4 if ( isset($_GET['action']) ) { 5 5 if ('activate' == $_GET['action']) { 6 check_admin_referer('activate-plugin ' . $_GET['plugin']);6 check_admin_referer('activate-plugin_' . $_GET['plugin']); 7 7 $current = get_settings('active_plugins'); 8 8 if (!in_array($_GET['plugin'], $current)) { 9 9 $current[] = trim( $_GET['plugin'] ); … … 14 14 } 15 15 header('Location: plugins.php?activate=true'); 16 16 } else if ('deactivate' == $_GET['action']) { 17 check_admin_referer('deactivate-plugin ' . $_GET['plugin']);17 check_admin_referer('deactivate-plugin_' . $_GET['plugin']); 18 18 $current = get_settings('active_plugins'); 19 19 array_splice($current, array_search( $_GET['plugin'], $current), 1 ); // Array-fu! 20 20 update_option('active_plugins', $current); … … 100 100 $style = ('class="alternate"' == $style|| 'class="alternate active"' == $style) ? '' : 'alternate'; 101 101 102 102 if (!empty($current_plugins) && in_array($plugin_file, $current_plugins)) { 103 $action = "<a href='" . wp_nonce_url("plugins.php?action=deactivate&plugin=$plugin_file", 'deactivate-plugin ' . $plugin_file) . "' title='".__('Deactivate this plugin')."' class='delete'>".__('Deactivate')."</a>";103 $action = "<a href='" . wp_nonce_url("plugins.php?action=deactivate&plugin=$plugin_file", 'deactivate-plugin_' . $plugin_file) . "' title='".__('Deactivate this plugin')."' class='delete'>".__('Deactivate')."</a>"; 104 104 $plugin_data['Title'] = "<strong>{$plugin_data['Title']}</strong>"; 105 105 $style .= $style == 'alternate' ? ' active' : 'active'; 106 106 } else { 107 $action = "<a href='" . wp_nonce_url("plugins.php?action=activate&plugin=$plugin_file", 'activate-plugin ' . $plugin_file) . "' title='".__('Activate this plugin')."' class='edit'>".__('Activate')."</a>";107 $action = "<a href='" . wp_nonce_url("plugins.php?action=activate&plugin=$plugin_file", 'activate-plugin_' . $plugin_file) . "' title='".__('Activate this plugin')."' class='edit'>".__('Activate')."</a>"; 108 108 } 109 109 $plugin_data['Description'] = wp_kses($plugin_data['Description'], array('a' => array('href' => array(),'title' => array()),'abbr' => array('title' => array()),'acronym' => array('title' => array()),'code' => array(),'em' => array(),'strong' => array()) ); ; 110 110 if ($style != '') $style = 'class="' . $style . '"'; -
wp-admin/edit.php
211 211 212 212 case 'control_delete': 213 213 ?> 214 <td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href='" . wp_nonce_url("post.php?action=delete&post=$id", 'delete-post ' . $post->ID) . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), js_escape(get_the_title()) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>214 <td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href='" . wp_nonce_url("post.php?action=delete&post=$id", 'delete-post_' . $post->ID) . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), js_escape(get_the_title()) ) . "' );\">" . __('Delete') . "</a>"; } ?></td> 215 215 <?php 216 216 break; 217 217 … … 273 273 <?php 274 274 if ( current_user_can('edit_post', $comment->comment_post_ID) ) { 275 275 echo " <a href='comment.php?action=editcomment&comment=".$comment->comment_ID."\'>" . __('Edit') . '</a>'; 276 echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment ' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), js_escape($comment->comment_author)) . "' );\">" . __('Delete') . '</a> ';276 echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), js_escape($comment->comment_author)) . "' );\">" . __('Delete') . '</a> '; 277 277 if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) { 278 echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment ' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';279 echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment ' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';278 echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment_' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>'; 279 echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment_' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>'; 280 280 } 281 echo " | <a href=\"" . wp_nonce_url("comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID, 'delete-comment ' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), js_escape( $comment->comment_author)) . "' );\">" . __('Spam') . "</a> ]";281 echo " | <a href=\"" . wp_nonce_url("comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), js_escape( $comment->comment_author)) . "' );\">" . __('Spam') . "</a> ]"; 282 282 } // end if any comments to show 283 283 ?> 284 284 </p> -
wp-admin/link.php
81 81 82 82 case 'save' : 83 83 $link_id = (int) $_POST['link_id']; 84 check_admin_referer('update-bookmark ' . $link_id);84 check_admin_referer('update-bookmark_' . $link_id); 85 85 86 86 edit_link($link_id); 87 87 … … 91 91 92 92 case 'delete' : 93 93 $link_id = (int) $_GET['link_id']; 94 check_admin_referer('delete-bookmark ' . $link_id);94 check_admin_referer('delete-bookmark_' . $link_id); 95 95 96 96 if (!current_user_can('manage_links')) 97 97 die(__("Cheatin' uh ?")); -
wp-admin/profile.php
19 19 <div class="wrap"> 20 20 <h2><?php _e('Your Profile and Personal Options'); ?></h2> 21 21 <form name="profile" id="your-profile" action="profile-update.php" method="post"> 22 <?php wp_nonce_field('update-profile ' . $user_ID) ?>22 <?php wp_nonce_field('update-profile_' . $user_ID) ?> 23 23 <p> 24 24 <input type="hidden" name="from" value="profile" /> 25 25 <input type="hidden" name="checkuser_id" value="<?php echo $user_ID ?>" /> -
wp-admin/user-edit.php
32 32 33 33 case 'update': 34 34 35 check_admin_referer('update-user ' . $user_id);35 check_admin_referer('update-user_' . $user_id); 36 36 37 37 if (!current_user_can('edit_users')) 38 38 $errors = new WP_Error('head', __('You do not have permission to edit this user.')); … … 74 74 <h2><?php _e('Edit User'); ?></h2> 75 75 76 76 <form name="profile" id="your-profile" action="user-edit.php" method="post"> 77 <?php wp_nonce_field('update-user ' . $user_ID) ?>77 <?php wp_nonce_field('update-user_' . $user_ID) ?> 78 78 <p> 79 79 <input type="hidden" name="from" value="profile" /> 80 80 <input type="hidden" name="checkuser_id" value="<?php echo $user_ID ?>" /> -
wp-admin/edit-category-form.php
4 4 $submit_text = __('Edit Category »'); 5 5 $form = '<form name="editcat" id="editcat" method="post" action="categories.php">'; 6 6 $action = 'editedcat'; 7 $nonce_action = 'update-category ' . $cat_ID;7 $nonce_action = 'update-category_' . $cat_ID; 8 8 } else { 9 9 $heading = __('Add Category'); 10 10 $submit_text = __('Add Category »'); … … 45 45 <p class="submit"><input type="submit" name="submit" value="<?php echo $submit_text ?>" /></p> 46 46 <div id="ajax-response"></div> 47 47 </form> 48 </div> 49 No newline at end of file 48 </div> -
wp-admin/link-manager.php
176 176 <?php 177 177 178 178 echo '<td><a href="link.php?link_id='.$link->link_id.'&action=edit" class="edit">'.__('Edit').'</a></td>'; 179 echo '<td><a href="' . wp_nonce_url('link.php?link_id='.$link->link_id.'&action=delete', 'delete-bookmark ' . $link->link_id ) . '"'." class='delete' onclick=\"return deleteSomething( 'link', $link->link_id , '".sprintf(__("You are about to delete the "%s" bookmark to %s.\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($link->link_name, 1), wp_specialchars($link->link_url)).'\' );" class="delete">'.__('Delete').'</a></td>';179 echo '<td><a href="' . wp_nonce_url('link.php?link_id='.$link->link_id.'&action=delete', 'delete-bookmark_' . $link->link_id ) . '"'." class='delete' onclick=\"return deleteSomething( 'link', $link->link_id , '".sprintf(__("You are about to delete the "%s" bookmark to %s.\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($link->link_name, 1), wp_specialchars($link->link_url)).'\' );" class="delete">'.__('Delete').'</a></td>'; 180 180 echo '<td align="center"><input type="checkbox" name="linkcheck[]" value="'.$link->link_id.'" /></td>'; 181 181 echo "\n </tr>\n"; 182 182 } -
wp-admin/page.php
76 76 77 77 case 'editattachment': 78 78 $page_id = $post_ID = (int) $_POST['post_ID']; 79 check_admin_referer('update-attachment ' . $page_id);79 check_admin_referer('update-attachment_' . $page_id); 80 80 81 81 // Don't let these be changed 82 82 unset($_POST['guid']); … … 93 93 94 94 case 'editpost': 95 95 $page_ID = (int) $_POST['post_ID']; 96 check_admin_referer('update-page ' . $page_ID);96 check_admin_referer('update-page_' . $page_ID); 97 97 98 98 $page_ID = edit_post(); 99 99 … … 119 119 120 120 case 'delete': 121 121 $page_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']); 122 check_admin_referer('delete-page ' . $page_id);122 check_admin_referer('delete-page_' . $page_id); 123 123 124 124 $page = & get_post($page_id); 125 125 -
wp-admin/plugin-editor.php
34 34 35 35 case 'update': 36 36 37 check_admin_referer('edit-plugin ' . $file);37 check_admin_referer('edit-plugin_' . $file); 38 38 39 39 if ( !current_user_can('edit_plugins') ) 40 40 die('<p>'.__('You have do not have sufficient permissions to edit templates for this blog.').'</p>'); … … 97 97 </div> 98 98 <?php if (!$error) { ?> 99 99 <form name="template" id="template" action="plugin-editor.php" method="post"> 100 <?php wp_nonce_field('edit-plugin ' . $file) ?>100 <?php wp_nonce_field('edit-plugin_' . $file) ?> 101 101 <div><textarea cols="70" rows="25" name="newcontent" id="newcontent" tabindex="1"><?php echo $content ?></textarea> 102 102 <input type="hidden" name="action" value="update" /> 103 103 <input type="hidden" name="file" value="<?php echo $file ?>" /> -
wp-admin/themes.php
2 2 require_once('admin.php'); 3 3 4 4 if ( isset($_GET['action']) ) { 5 check_admin_referer('switch-theme ' . $_GET['template']);5 check_admin_referer('switch-theme_' . $_GET['template']); 6 6 7 7 if ('activate' == $_GET['action']) { 8 8 if ( isset($_GET['template']) ) … … 69 69 $author = $themes[$theme_name]['Author']; 70 70 $screenshot = $themes[$theme_name]['Screenshot']; 71 71 $stylesheet_dir = $themes[$theme_name]['Stylesheet Dir']; 72 $activate_link = wp_nonce_url("themes.php?action=activate&template=$template&stylesheet=$stylesheet", 'switch-theme ' . $template);72 $activate_link = wp_nonce_url("themes.php?action=activate&template=$template&stylesheet=$stylesheet", 'switch-theme_' . $template); 73 73 ?> 74 74 <div class="available-theme"> 75 75 <h3><a href="<?php echo $activate_link; ?>"><?php echo "$title $version"; ?></a></h3> -
wp-admin/categories.php
36 36 37 37 case 'delete': 38 38 $cat_ID = (int) $_GET['cat_ID']; 39 check_admin_referer('delete-category ' . $cat_ID);39 check_admin_referer('delete-category_' . $cat_ID); 40 40 41 41 if ( !current_user_can('manage_categories') ) 42 42 die (__('Cheatin’ uh?')); … … 67 67 68 68 case 'editedcat': 69 69 $cat_ID = (int) $_POST['cat_ID']; 70 check_admin_referer('update-category ' . $cat_ID);70 check_admin_referer('update-category_' . $cat_ID); 71 71 72 72 if ( !current_user_can('manage_categories') ) 73 73 die (__('Cheatin’ uh?'));