Changeset 3759
- Timestamp:
- 05/02/2006 10:36:06 PM (19 years ago)
- Location:
- trunk/wp-admin
- Files:
-
- 30 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-admin/admin-functions.php
r3754 r3759 710 710 <td><a href="<?php the_permalink(); ?>" rel="permalink" class="edit"><?php _e('View'); ?></a></td> 711 711 <td><?php if ( current_user_can('edit_page', $id) ) { echo "<a href='page.php?action=edit&post=$id' class='edit'>" . __('Edit') . "</a>"; } ?></td> 712 <td><?php if ( current_user_can('edit_page', $id) ) { echo "<a href=' page.php?action=delete&post=$id' class='delete' onclick=\"return deleteSomething( 'page', " . $id . ", '" . sprintf(__("You are about to delete the "%s" page.\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>712 <td><?php if ( current_user_can('edit_page', $id) ) { echo "<a href='" . wp_nonce_url("page.php?action=delete&post=$id", 'delete-page' . $id) . "' class='delete' onclick=\"return deleteSomething( 'page', " . $id . ", '" . sprintf(__("You are about to delete the "%s" page.\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td> 713 713 </tr> 714 714 -
trunk/wp-admin/categories.php
r3728 r3759 25 25 case 'addcat': 26 26 27 check_admin_referer( );27 check_admin_referer('add-category'); 28 28 29 29 if ( !current_user_can('manage_categories') ) … … 36 36 37 37 case 'delete': 38 39 check_admin_referer( );38 $cat_ID = (int) $_GET['cat_ID']; 39 check_admin_referer('delete-category' . $cat_ID); 40 40 41 41 if ( !current_user_can('manage_categories') ) 42 42 die (__('Cheatin’ uh?')); 43 43 44 $cat_ID = (int) $_GET['cat_ID'];45 44 $cat_name = get_catname($cat_ID); 46 45 … … 68 67 <h2><?php _e('Edit Category') ?></h2> 69 68 <form name="editcat" action="categories.php" method="post"> 69 <?php wp_nonce_field('update-category' . $category->cat_ID); ?> 70 70 <table class="editform" width="100%" cellspacing="2" cellpadding="5"> 71 71 <tr> … … 100 100 101 101 case 'editedcat': 102 check_admin_referer(); 102 $cat_ID = (int) $_POST['cat_ID']; 103 check_admin_referer('update-category' . $cat_ID); 103 104 104 105 if ( !current_user_can('manage_categories') ) … … 158 159 <h2><?php _e('Add New Category') ?></h2> 159 160 <form name="addcat" id="addcat" action="categories.php" method="post"> 161 <?php wp_nonce_field('add-category'); ?> 160 162 <div class="alignleft"><?php _e('Name:') ?><br /> 161 163 <input type="text" name="cat_name" id="cat_name" value="" /></p> -
trunk/wp-admin/comment.php
r3721 r3759 90 90 91 91 case 'deletecomment': 92 93 check_admin_referer();94 95 92 $comment = (int) $_REQUEST['comment']; 93 check_admin_referer('delete-comment' . $comment); 94 96 95 $p = (int) $_REQUEST['p']; 97 96 if ( isset($_REQUEST['noredir']) ) { … … 124 123 125 124 case 'unapprovecomment': 126 127 check_admin_referer(); 128 129 $comment = (int) $_GET['comment']; 125 $comment = (int) $_GET['comment']; 126 check_admin_referer('unapprove-comment' . $comment); 127 130 128 $p = (int) $_GET['p']; 131 129 if (isset($_GET['noredir'])) { … … 152 150 153 151 case 'approvecomment': 154 155 check_admin_referer(); 156 157 $comment = (int) $_GET['comment']; 152 $comment = (int) $_GET['comment']; 153 check_admin_referer('approve-comment' . $comment); 154 158 155 $p = (int) $_GET['p']; 159 156 if (isset($_GET['noredir'])) { … … 185 182 case 'editedcomment': 186 183 187 check_admin_referer( );184 check_admin_referer('update-comment'); 188 185 189 186 edit_comment(); -
trunk/wp-admin/edit-comments.php
r3722 r3759 52 52 <?php 53 53 if ( !empty( $_POST['delete_comments'] ) ) : 54 check_admin_referer( );54 check_admin_referer('bulk-comments'); 55 55 56 56 $i = 0; … … 120 120 if ( current_user_can('edit_post', $comment->comment_post_ID) ) { 121 121 echo " <a href='comment.php?action=editcomment&comment=".$comment->comment_ID."\'>" . __('Edit') . '</a>'; 122 echo ' | <a href=" comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID. '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> ';122 echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> '; 123 123 if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) { 124 echo '<span class="unapprove"> | <a href=" comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID. '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';125 echo '<span class="approve"> | <a href=" comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID. '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';124 echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>'; 125 echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>'; 126 126 } 127 127 echo " | <a href=\"comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . "</a> "; … … 151 151 152 152 if ($comments) { 153 echo '<form name="deletecomments" id="deletecomments" action="" method="post"> 154 <table width="100%" cellpadding="3" cellspacing="3"> 153 echo '<form name="deletecomments" id="deletecomments" action="" method="post"> '; 154 wp_nonce_field('bulk-comments'); 155 echo '<table width="100%" cellpadding="3" cellspacing="3"> 155 156 <tr> 156 157 <th scope="col">*</th> -
trunk/wp-admin/edit-form-advanced.php
r3664 r3759 23 23 $temp_ID = -1 * time(); 24 24 $form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />"; 25 wp_nonce_field('add-post'); 25 26 } else { 26 27 $form_action = 'editpost'; 27 28 $form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />"; 29 wp_nonce_field('update-post' . $post_ID); 28 30 } 29 31 … … 174 176 if (current_user_can('upload_files')) { 175 177 $uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID); 176 $uploading_iframe_src = "inline-uploading.php?action=view&post=$uploading_iframe_ID";178 $uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&post=$uploading_iframe_ID", 'inlineuploading'); 177 179 $uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src); 178 180 if ( false != $uploading_iframe_src ) -
trunk/wp-admin/edit-form-comment.php
r3721 r3759 7 7 8 8 <form name="post" action="comment.php" method="post" id="post"> 9 <?php wp_nonce_field('update-comment' . $comment->comment_ID) ?> 9 10 <div class="wrap"> 10 11 <input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" /> -
trunk/wp-admin/edit-link-form.php
r3729 r3759 3 3 $heading = __('Edit Bookmark'); 4 4 $submit_text = __('Save Changes »'); 5 $form = '<form name="editlink" id="editlink" method="post" action="link.php">'; 5 $form = '<form name="editlink" id="editlink" method="post" action="link.php">'; 6 $nonce_action = 'update-bookmark' . $link_id; 6 7 } else { 7 8 $heading = __('Create Bookmark'); 8 9 $submit_text = __('Add Bookmark »'); 9 10 $form = '<form name="addlink" id="addlink" method="post" action="link.php">'; 11 $nonce_action = 'add-bookmark'; 10 12 } 11 13 … … 32 34 <h2><?php echo $heading ?></h2> 33 35 <?php echo $form ?> 34 36 <?php wp_nonce_field($nonce_action); ?> 37 35 38 <div id="poststuff"> 36 39 <div id="moremeta"> -
trunk/wp-admin/edit-page-form.php
r3664 r3759 6 6 if (0 == $post_ID) { 7 7 $form_action = 'post'; 8 $nonce_action = 'add-page'; 8 9 $temp_ID = -1 * time(); 9 10 $form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />"; 10 11 } else { 11 12 $form_action = 'editpost'; 13 $nonce_action = 'update-page' . $post_ID; 12 14 $form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />"; 13 15 } … … 24 26 25 27 <?php 28 wp_nonce_field($nonce_action); 29 26 30 if (isset($mode) && 'bookmarklet' == $mode) { 27 31 echo '<input type="hidden" name="mode" value="bookmarklet" />'; … … 151 155 if (current_user_can('upload_files')) { 152 156 $uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID); 153 $uploading_iframe_src = "inline-uploading.php?action=view&post=$uploading_iframe_ID";157 $uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&post=$uploading_iframe_ID", 'inlineuploading'); 154 158 $uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src); 155 159 if ( false != $uploading_iframe_src ) -
trunk/wp-admin/edit.php
r3724 r3759 212 212 case 'control_delete': 213 213 ?> 214 <td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href=' post.php?action=delete&post=$id' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>214 <td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href='" . wp_nonce_url("post.php?action=delete&post=$id", 'delete-post' . $post->ID) . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td> 215 215 <?php 216 216 break; … … 274 274 if ( current_user_can('edit_post', $comment->comment_post_ID) ) { 275 275 echo " <a href='comment.php?action=editcomment&comment=".$comment->comment_ID."\'>" . __('Edit') . '</a>'; 276 echo ' | <a href=" comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID. '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> ';276 echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> '; 277 277 if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) { 278 echo '<span class="unapprove"> | <a href=" comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID. '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';279 echo '<span class="approve"> | <a href=" comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID. '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';278 echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>'; 279 echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>'; 280 280 } 281 echo " | <a href=\" comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . "</a> ]";281 echo " | <a href=\"" . wp_nonce_url("comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID, 'delete-comment' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . "</a> ]"; 282 282 } // end if any comments to show 283 283 ?> -
trunk/wp-admin/inline-uploading.php
r3665 r3759 3 3 require_once('admin.php'); 4 4 5 check_admin_referer( );5 check_admin_referer('inlineuploading'); 6 6 7 7 header('Content-Type: text/html; charset=' . get_option('blog_charset')); … … 42 42 wp_delete_attachment($attachment); 43 43 44 header("Location: ". basename(__FILE__)."?post=$post&all=$all&action=view&start=$start");44 header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=$start", 'inlineuploading')); 45 45 die; 46 46 … … 101 101 } 102 102 103 header("Location: ". basename(__FILE__)."?post=$post&all=$all&action=view&start=0");103 header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=0", 'inlineuploading')); 104 104 die(); 105 105 … … 140 140 141 141 if ( count($attachments) == 0 ) { 142 header("Location: ". basename(__FILE__)."?post=$post&action=upload");142 header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&action=upload", 'inlineuploading') ); 143 143 die; 144 144 } elseif ( count($attachments) > $num ) { -
trunk/wp-admin/link-manager.php
r3718 r3759 111 111 112 112 <form id="links" method="post" action="link.php"> 113 <?php wp_nonce_field('bulk-bookmarks') ?> 113 114 <input type="hidden" name="link_id" value="" /> 114 115 <input type="hidden" name="action" value="" /> … … 176 177 177 178 echo '<td><a href="link.php?link_id='.$link->link_id.'&action=edit" class="edit">'.__('Edit').'</a></td>'; 178 echo '<td><a href=" link.php?link_id='.$link->link_id.'&action=delete"'." class='delete' onclick=\"return deleteSomething( 'link', $link->link_id , '".sprintf(__("You are about to delete the "%s" bookmark to %s.\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($link->link_name, 1), wp_specialchars($link->link_url)).'\' );" class="delete">'.__('Delete').'</a></td>';179 echo '<td><a href="' . wp_nonce_url('link.php?link_id='.$link->link_id.'&action=delete', 'delete-bookmark' . $link->link_id ) . '"'." class='delete' onclick=\"return deleteSomething( 'link', $link->link_id , '".sprintf(__("You are about to delete the "%s" bookmark to %s.\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($link->link_name, 1), wp_specialchars($link->link_url)).'\' );" class="delete">'.__('Delete').'</a></td>'; 179 180 echo '<td align="center"><input type="checkbox" name="linkcheck[]" value="'.$link->link_id.'" /></td>'; 180 181 echo "\n </tr>\n"; -
trunk/wp-admin/link.php
r3570 r3759 30 30 switch ($action) { 31 31 case 'deletebookmarks' : 32 check_admin_referer( );32 check_admin_referer('bulk-bookmarks'); 33 33 34 34 // check the current user's level first. … … 54 54 55 55 case 'move' : 56 check_admin_referer( );56 check_admin_referer('bulk-bookmarks'); 57 57 58 58 // check the current user's level first. … … 73 73 74 74 case 'add' : 75 check_admin_referer( );75 check_admin_referer('add-bookmark'); 76 76 77 77 add_link(); … … 81 81 82 82 case 'save' : 83 check_admin_referer(); 83 $link_id = (int) $_POST['link_id']; 84 check_admin_referer('update-bookmark' . $link_id); 84 85 85 $link_id = (int) $_POST['link_id'];86 86 edit_link($link_id); 87 87 … … 91 91 92 92 case 'delete' : 93 check_admin_referer(); 93 $link_id = (int) $_GET['link_id']; 94 check_admin_referer('delete-bookmark' . $link_id); 94 95 95 96 if (!current_user_can('manage_links')) 96 97 die(__("Cheatin' uh ?")); 97 98 $link_id = (int) $_GET['link_id'];99 98 100 99 wp_delete_link($link_id); -
trunk/wp-admin/moderation.php
r3722 r3759 33 33 case 'update': 34 34 35 check_admin_referer( );35 check_admin_referer('moderate-comments'); 36 36 37 37 if ( ! current_user_can('moderate_comments') ) … … 133 133 <h2><?php _e('Moderation Queue') ?></h2> 134 134 <form name="approval" action="moderation.php" method="post"> 135 <?php wp_nonce_field('moderate-comments') ?> 135 136 <input type="hidden" name="action" value="update" /> 136 137 <ol id="the-list" class="commentlist"> -
trunk/wp-admin/options-discussion.php
r3345 r3759 22 22 <h2><?php _e('Discussion Options') ?></h2> 23 23 <form method="post" action="options.php"> 24 <?php wp_nonce_field('update-options') ?> 24 25 <fieldset class="options"> 25 26 <legend><?php _e('Usual settings for an article:<br /><small><em>(These settings may be overridden for individual articles.)</em></small>') ?></legend> -
trunk/wp-admin/options-general.php
r3677 r3759 11 11 <h2><?php _e('General Options') ?></h2> 12 12 <form method="post" action="options.php"> 13 <?php wp_nonce_field('update-options') ?> 13 14 <table class="optiontable"> 14 15 <tr valign="top"> -
trunk/wp-admin/options-misc.php
r3570 r3759 12 12 <h2><?php _e('Miscellaneous Options') ?></h2> 13 13 <form method="post" action="options.php"> 14 14 <?php wp_nonce_field('update-options') ?> 15 15 <fieldset class="options"> 16 16 <legend><?php _e('Uploading'); ?></legend> -
trunk/wp-admin/options-permalink.php
r3665 r3759 58 58 $home_path = get_home_path(); 59 59 60 if ( isset($_POST ) ) {61 check_admin_referer( );60 if ( isset($_POST['permalink_structure']) || isset($_POST['category_base']) ) { 61 check_admin_referer('update-permalink'); 62 62 63 63 if ( isset($_POST['permalink_structure']) ) { … … 118 118 ?> 119 119 <form name="form" action="options-permalink.php" method="post"> 120 <?php wp_nonce_field('update-permalink') ?> 120 121 <h3><?php _e('Common options:'); ?></h3> 121 122 <p> … … 166 167 <p><?php _e('If your <code>.htaccess</code> file were <a href="http://codex.wordpress.org/Make_a_Directory_Writable">writable</a>, we could do this automatically, but it isn’t so these are the mod_rewrite rules you should have in your <code>.htaccess</code> file. Click in the field and press <kbd>CTRL + a</kbd> to select all.') ?></p> 167 168 <form action="options-permalink.php" method="post"> 169 <?php wp_nonce_field('update-permalink') ?> 168 170 <p> 169 171 <textarea rows="5" style="width: 98%;" name="rules"><?php echo $wp_rewrite->mod_rewrite_rules(); ?> -
trunk/wp-admin/options-reading.php
r3583 r3759 11 11 <h2><?php _e('Reading Options') ?></h2> 12 12 <form name="form1" method="post" action="options.php"> 13 <?php wp_nonce_field('update-options') ?> 13 14 14 15 <?php if ( get_pages() ): ?> -
trunk/wp-admin/options-writing.php
r3570 r3759 11 11 <h2><?php _e('Writing Options') ?></h2> 12 12 <form method="post" action="options.php"> 13 <?php wp_nonce_field('update-options') ?> 13 14 <table width="100%" cellspacing="2" cellpadding="5" class="editform"> 14 15 <tr valign="top"> -
trunk/wp-admin/options.php
r3710 r3759 30 30 $any_changed = 0; 31 31 32 check_admin_referer( );32 check_admin_referer('update-options'); 33 33 34 34 if (!$_POST['page_options']) { … … 90 90 <h2><?php _e('All options'); ?></h2> 91 91 <form name="form" action="options.php" method="post"> 92 <?php wp_nonce_field('update-options') ?> 92 93 <input type="hidden" name="action" value="update" /> 93 94 <table width="98%"> -
trunk/wp-admin/page.php
r3674 r3759 25 25 switch($action) { 26 26 case 'post': 27 27 check_admin_referer('add-page'); 28 28 $page_ID = write_post(); 29 29 … … 77 77 case 'editattachment': 78 78 $page_id = $post_ID = (int) $_POST['post_ID']; 79 check_admin_referer('update-attachment' . $page_id); 79 80 80 81 // Don't let these be changed … … 92 93 93 94 case 'editpost': 95 $page_ID = (int) $_POST['post_ID']; 96 check_admin_referer('update-page' . $page_ID); 97 94 98 $page_ID = edit_post(); 95 99 … … 115 119 116 120 case 'delete': 117 check_admin_referer();118 119 121 $page_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']); 122 check_admin_referer('delete-page' . $page_id); 120 123 121 124 $page = & get_post($page_id); -
trunk/wp-admin/plugin-editor.php
r3665 r3759 35 35 case 'update': 36 36 37 check_admin_referer( );37 check_admin_referer('edit-plugin' . $file); 38 38 39 39 if ( !current_user_can('edit_plugins') ) … … 98 98 <?php if (!$error) { ?> 99 99 <form name="template" id="template" action="plugin-editor.php" method="post"> 100 <?php wp_nonce_field('edit-plugin' . $file) ?> 100 101 <div><textarea cols="70" rows="25" name="newcontent" id="newcontent" tabindex="1"><?php echo $content ?></textarea> 101 102 <input type="hidden" name="action" value="update" /> -
trunk/wp-admin/plugins.php
r3517 r3759 3 3 4 4 if ( isset($_GET['action']) ) { 5 check_admin_referer();6 7 5 if ('activate' == $_GET['action']) { 6 check_admin_referer('activate-plugin' . $_GET['plugin']); 8 7 $current = get_settings('active_plugins'); 9 8 if (!in_array($_GET['plugin'], $current)) { … … 16 15 header('Location: plugins.php?activate=true'); 17 16 } else if ('deactivate' == $_GET['action']) { 17 check_admin_referer('deactivate-plugin' . $_GET['plugin']); 18 18 $current = get_settings('active_plugins'); 19 19 array_splice($current, array_search( $_GET['plugin'], $current), 1 ); // Array-fu! … … 99 99 100 100 if (!empty($current_plugins) && in_array($plugin_file, $current_plugins)) { 101 $action = "<a href=' plugins.php?action=deactivate&plugin=$plugin_file' title='".__('Deactivate this plugin')."' class='delete'>".__('Deactivate')."</a>";101 $action = "<a href='" . wp_nonce_url("plugins.php?action=deactivate&plugin=$plugin_file", 'deactivate-plugin' . $plugin_file) . "' title='".__('Deactivate this plugin')."' class='delete'>".__('Deactivate')."</a>"; 102 102 $plugin_data['Title'] = "<strong>{$plugin_data['Title']}</strong>"; 103 103 $style .= $style == 'alternate' ? ' active' : 'active'; 104 104 } else { 105 $action = "<a href=' plugins.php?action=activate&plugin=$plugin_file' title='".__('Activate this plugin')."' class='edit'>".__('Activate')."</a>";105 $action = "<a href='" . wp_nonce_url("plugins.php?action=activate&plugin=$plugin_file", 'activate-plugin' . $plugin_file) . "' title='".__('Activate this plugin')."' class='edit'>".__('Activate')."</a>"; 106 106 } 107 107 $plugin_data['Description'] = wp_kses($plugin_data['Description'], array('a' => array('href' => array(),'title' => array()),'abbr' => array('title' => array()),'acronym' => array('title' => array()),'code' => array(),'em' => array(),'strong' => array()) ); ; -
trunk/wp-admin/post.php
r3721 r3759 25 25 case 'postajaxpost': 26 26 case 'post': 27 check_admin_referer( );27 check_admin_referer('add-post'); 28 28 29 29 $post_ID = 'post' == $action ? write_post() : edit_post(); … … 79 79 80 80 case 'editattachment': 81 check_admin_referer();81 $post_id = (int) $_POST['post_ID']; 82 82 83 $post_id = (int) $_POST['post_ID'];83 check_admin_referer('update-attachment' . $post_id); 84 84 85 85 // Don't let these be changed … … 97 97 98 98 case 'editpost': 99 check_admin_referer(); 99 $post_ID = (int) $_POST['post_ID']; 100 check_admin_referer('update-post' . $post_ID); 100 101 101 102 $post_ID = edit_post(); … … 122 123 123 124 case 'delete': 124 check_admin_referer();125 126 125 $post_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']); 126 check_admin_referer('delete-post' . $post_id); 127 127 128 128 $post = & get_post($post_id); -
trunk/wp-admin/profile-update.php
r3679 r3759 3 3 require_once('admin.php'); 4 4 5 check_admin_referer( );5 check_admin_referer('update-profile' . $user_ID); 6 6 7 7 if ( !$_POST ) -
trunk/wp-admin/profile.php
r3412 r3759 20 20 <h2><?php _e('Your Profile and Personal Options'); ?></h2> 21 21 <form name="profile" id="your-profile" action="profile-update.php" method="post"> 22 <?php wp_nonce_field('update-profile' . $user_ID) ?> 22 23 <p> 23 24 <input type="hidden" name="from" value="profile" /> -
trunk/wp-admin/templates.php
r3687 r3759 37 37 case 'update': 38 38 39 check_admin_referer( );39 check_admin_referer('edit-file' . $file); 40 40 41 41 if ( ! current_user_can('edit_files') ) … … 129 129 <?php if (!$error) { ?> 130 130 <form name="template" id="template" action="templates.php" method="post"> 131 <?php wp_nonce_field('edit-file' . $file) ?> 131 132 <div><textarea cols="70" rows="25" name="newcontent" id='newcontent' tabindex="1"><?php echo $content ?></textarea> 132 133 <input type="hidden" name="action" value="update" /> -
trunk/wp-admin/theme-editor.php
r3665 r3759 48 48 case 'update': 49 49 50 check_admin_referer( );50 check_admin_referer('edit-theme' . $file . $theme); 51 51 52 52 if ( !current_user_can('edit_themes') ) … … 132 132 ?> 133 133 <form name="template" id="template" action="theme-editor.php" method="post"> 134 <?php wp_nonce_field('edit-theme' . $file . $theme) ?> 134 135 <div><textarea cols="70" rows="25" name="newcontent" id="newcontent" tabindex="1"><?php echo $content ?></textarea> 135 136 <input type="hidden" name="action" value="update" /> -
trunk/wp-admin/themes.php
r3517 r3759 3 3 4 4 if ( isset($_GET['action']) ) { 5 check_admin_referer( );5 check_admin_referer('switch-theme' . $_GET['template']); 6 6 7 7 if ('activate' == $_GET['action']) { … … 70 70 $screenshot = $themes[$theme_name]['Screenshot']; 71 71 $stylesheet_dir = $themes[$theme_name]['Stylesheet Dir']; 72 $activate_link = "themes.php?action=activate&template=$template&stylesheet=$stylesheet";72 $activate_link = wp_nonce_url("themes.php?action=activate&template=$template&stylesheet=$stylesheet", 'switch-theme' . $template); 73 73 ?> 74 74 <div class="available-theme"> -
trunk/wp-admin/users.php
r3679 r3759 12 12 13 13 case 'promote': 14 check_admin_referer( );14 check_admin_referer('bulk-users'); 15 15 16 16 if (empty($_POST['users'])) { … … 40 40 case 'dodelete': 41 41 42 check_admin_referer( );42 check_admin_referer('delete-users'); 43 43 44 44 if ( empty($_POST['users']) ) { … … 73 73 case 'delete': 74 74 75 check_admin_referer( );75 check_admin_referer('bulk-users'); 76 76 77 77 if (empty($_POST['users'])) { … … 87 87 ?> 88 88 <form action="" method="post" name="updateusers" id="updateusers"> 89 <?php wp_nonce_field('delete-users') ?> 89 90 <div class="wrap"> 90 91 <h2><?php _e('Delete Users'); ?></h2> … … 132 133 133 134 case 'adduser': 134 check_admin_referer( );135 check_admin_referer('add-user'); 135 136 136 137 $user_id = add_user(); … … 206 207 207 208 <form action="" method="post" name="updateusers" id="updateusers"> 209 <?php wp_nonce_field('bulk-users') ?> 208 210 <div class="wrap"> 209 211 <h2><?php _e('User List by Role'); ?></h2> … … 258 260 <?php echo '<p>'.sprintf(__('Users can <a href="%1$s">register themselves</a> or you can manually create users here.'), get_settings('siteurl').'/wp-register.php').'</p>'; ?> 259 261 <form action="" method="post" name="adduser" id="adduser"> 262 <?php wp_nonce_field('add-user') ?> 260 263 <table class="editform" width="100%" cellspacing="2" cellpadding="5"> 261 264 <tr>
Note: See TracChangeset
for help on using the changeset viewer.