WordPress.org

Make WordPress Core

Changeset 20925


Ignore:
Timestamp:
05/26/12 04:08:44 (23 months ago)
Author:
koopersmith
Message:

Theme Customizer: Add a signature to preview requests to be super-double-ultra-sure that the customizer generated the preview. Redirects can be sneaky. fixes #20507, see #19910.

Location:
trunk/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/class-wp-customize-manager.php

    r20924 r20925  
    265265        add_action( 'wp_head', array( $this, 'customize_preview_base' ) ); 
    266266        add_action( 'wp_footer', array( $this, 'customize_preview_settings' ), 20 ); 
     267        add_action( 'shutdown', array( $this, 'customize_preview_signature' ), 1000 ); 
    267268 
    268269        foreach ( $this->settings as $setting ) { 
     
    301302        </script> 
    302303        <?php 
     304    } 
     305 
     306    /** 
     307     * Prints a signature so we can ensure the customizer was properly executed. 
     308     * 
     309     * @since 3.4.0 
     310     */ 
     311    public function customize_preview_signature() { 
     312        echo 'WP_CUSTOMIZER_SIGNATURE'; 
    303313    } 
    304314 
  • trunk/wp-includes/js/customize-controls.dev.js

    r20913 r20925  
    406406                success: function( response ) { 
    407407                    var iframe = self.loader()[0].contentWindow, 
    408                         location = self.request.getResponseHeader('Location'); 
     408                        location = self.request.getResponseHeader('Location'), 
     409                        signature = 'WP_CUSTOMIZER_SIGNATURE', 
     410                        index; 
    409411 
    410412                    // Check if the location response header differs from the current URL. 
     
    414416                        return; 
    415417                    } 
     418 
     419                    // Check for a signature in the request. 
     420                    index = response.lastIndexOf( signature ); 
     421                    if ( -1 === index || index < response.lastIndexOf('</html>') ) 
     422                        return; 
     423 
     424                    // Strip the signature from the request. 
     425                    response = response.slice( 0, index ) + response.slice( index + signature.length ); 
    416426 
    417427                    self.loader().one( 'load', self.loaded ); 
Note: See TracChangeset for help on using the changeset viewer.