Make WordPress Core


Ignore:
Timestamp:
03/30/2016 06:40:18 PM (9 years ago)
Author:
jorbin
Message:

Add Nonce to updating wporg_favorites user meta field

Merges [37145] to the 4.4 branch

Location:
branches/4.4
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.4

  • branches/4.4/src/wp-admin/theme-install.php

    r35527 r37146  
    149149        <div class="favorites-form">
    150150            <?php
    151             $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
    152             update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
     151            $action = 'save_wporg_username_' . get_current_user_id();
     152            if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {
     153                $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
     154                update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
     155            } else {
     156                $user = get_user_option( 'wporg_favorites' );
     157            }
    153158            ?>
    154159            <p class="install-help"><?php _e( 'If you have marked themes as favorites on WordPress.org, you can browse them here.' ); ?></p>
     
    156161            <p>
    157162                <label for="user"><?php _e( 'Your WordPress.org username:' ); ?></label>
     163                <input type="hidden" id="wporg-username-nonce" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( $action ) ); ?>" />
    158164                <input type="search" id="wporg-username-input" value="<?php echo esc_attr( $user ); ?>" />
    159165                <input type="button" class="button button-secondary favorites-form-submit" value="<?php esc_attr_e( 'Get Favorites' ); ?>" />
Note: See TracChangeset for help on using the changeset viewer.