- Timestamp:
- 08/05/2014 06:49:22 AM (10 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/class-wp-customize-widgets.php
r29159 r29377 1151 1151 1152 1152 /** 1153 * Get a widget instance's hash key. 1154 * 1155 * Serialize an instance and hash it with the AUTH_KEY; when a JS value is 1156 * posted back to save, this instance hash key is used to ensure that the 1157 * serialized_instance was not tampered with, but that it had originated 1158 * from WordPress and so is sanitized. 1153 * Get MAC for a serialized widget instance string. 1154 * 1155 * Allows values posted back from JS to be rejected if any tampering of the 1156 * data has occurred. 1159 1157 * 1160 1158 * @since 3.9.0 1161 1159 * @access protected 1162 1160 * 1163 * @param array $instance Widget instance.1164 * @return string Widget instance's hash key.1165 */ 1166 protected function get_instance_hash_key( $ instance ) {1167 return wp_hash( serialize( $instance ));1161 * @param string $serialized_instance Widget instance. 1162 * @return string MAC for serialized widget instance. 1163 */ 1164 protected function get_instance_hash_key( $serialized_instance ) { 1165 return wp_hash( $serialized_instance ); 1168 1166 } 1169 1167 … … 1193 1191 1194 1192 $decoded = base64_decode( $value['encoded_serialized_instance'], true ); 1195 1196 1193 if ( false === $decoded ) { 1197 1194 return null; 1198 1195 } 1196 1197 if ( $this->get_instance_hash_key( $decoded ) !== $value['instance_hash_key'] ) { 1198 return null; 1199 } 1200 1199 1201 $instance = unserialize( $decoded ); 1200 1201 1202 if ( false === $instance ) { 1202 1203 return null; 1203 1204 } 1204 if ( $this->get_instance_hash_key( $instance ) !== $value['instance_hash_key'] ) { 1205 return null; 1206 } 1205 1207 1206 return $instance; 1208 1207 } … … 1225 1224 'title' => empty( $value['title'] ) ? '' : $value['title'], 1226 1225 'is_widget_customizer_js_value' => true, 1227 'instance_hash_key' => $this->get_instance_hash_key( $ value),1226 'instance_hash_key' => $this->get_instance_hash_key( $serialized ), 1228 1227 ); 1229 1228 }
Note: See TracChangeset
for help on using the changeset viewer.