WordPress.org

Make WordPress Core

Changeset 20925


Ignore:
Timestamp:
05/26/2012 04:08:44 AM (8 years ago)
Author:
koopersmith
Message:

Theme Customizer: Add a signature to preview requests to be super-double-ultra-sure that the customizer generated the preview. Redirects can be sneaky. fixes #20507, see #19910.

Location:
trunk/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/class-wp-customize-manager.php

    r20924 r20925  
    265265        add_action( 'wp_head', array( $this, 'customize_preview_base' ) );
    266266        add_action( 'wp_footer', array( $this, 'customize_preview_settings' ), 20 );
     267        add_action( 'shutdown', array( $this, 'customize_preview_signature' ), 1000 );
    267268
    268269        foreach ( $this->settings as $setting ) {
     
    301302        </script>
    302303        <?php
     304    }
     305
     306    /**
     307     * Prints a signature so we can ensure the customizer was properly executed.
     308     *
     309     * @since 3.4.0
     310     */
     311    public function customize_preview_signature() {
     312        echo 'WP_CUSTOMIZER_SIGNATURE';
    303313    }
    304314
  • trunk/wp-includes/js/customize-controls.dev.js

    r20913 r20925  
    406406                success: function( response ) {
    407407                    var iframe = self.loader()[0].contentWindow,
    408                         location = self.request.getResponseHeader('Location');
     408                        location = self.request.getResponseHeader('Location'),
     409                        signature = 'WP_CUSTOMIZER_SIGNATURE',
     410                        index;
    409411
    410412                    // Check if the location response header differs from the current URL.
     
    414416                        return;
    415417                    }
     418
     419                    // Check for a signature in the request.
     420                    index = response.lastIndexOf( signature );
     421                    if ( -1 === index || index < response.lastIndexOf('</html>') )
     422                        return;
     423
     424                    // Strip the signature from the request.
     425                    response = response.slice( 0, index ) + response.slice( index + signature.length );
    416426
    417427                    self.loader().one( 'load', self.loaded );
Note: See TracChangeset for help on using the changeset viewer.