Changeset 14730 for trunk/wp-admin/includes/media.php

Timestamp:

05/18/2010 10:08:49 PM (15 years ago)

Author:

markjaquith

Message:

Add nonce protection for setting/removing featured post image. fixes #13438

File:

• trunk/wp-admin/includes/media.php (modified) (1 diff)

trunk/wp-admin/includes/media.php

@@ -1287 +1287 @@
     $calling_post_id = 0;
     if ( isset( $_GET['post_id'] ) )
-        $calling_post_id = $_GET['post_id'];
+        $calling_post_id = absint( $_GET['post_id'] );
     elseif ( isset( $_POST ) && count( $_POST ) ) // Like for async-upload where $_GET['post_id'] isn't set
         $calling_post_id = $post->post_parent;
-    if ( 'image' == $type && $calling_post_id && current_theme_supports( 'post-thumbnails', get_post_type( $calling_post_id ) ) && get_post_thumbnail_id( $calling_post_id ) != $attachment_id )
-        $thumbnail = "<a class='wp-post-thumbnail' id='wp-post-thumbnail-" . $attachment_id . "' href='#' onclick='WPSetAsThumbnail(\"$attachment_id\");return false;'>" . esc_html__( "Use as featured image" ) . "</a>";
+    if ( 'image' == $type && $calling_post_id && current_theme_supports( 'post-thumbnails', get_post_type( $calling_post_id ) ) && get_post_thumbnail_id( $calling_post_id ) != $attachment_id ) {
+        $ajax_nonce = wp_create_nonce( "set_post_thumbnail-$calling_post_id" );
+        $thumbnail = "<a class='wp-post-thumbnail' id='wp-post-thumbnail-" . $attachment_id . "' href='#' onclick='WPSetAsThumbnail(\"$attachment_id\", \"$ajax_nonce\");return false;'>" . esc_html__( "Use as featured image" ) . "</a>";
+    }
 
     if ( ( $send || $thumbnail || $delete ) && !isset( $form_fields['buttons'] ) )