WordPress.org
Get WordPress

Make WordPress Core

Changeset 39766


Ignore:
Timestamp:
01/11/2017 01:48:22 AM (7 years ago)
Author:
aaroncampbell
Message:

Add nonce for widget accessibility mode.

Props vortfu.

See #23328.

Merges [39765] to 4.2 branch.

Location:
branches/4.2
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • branches/4.2

    • Property svn:mergeinfo changed (with no actual effect on merging)

  • branches/4.2/src/wp-admin/includes/screen.php

    r31696 r39766  
    972972        switch ( $this->base ) {
    973973            case 'widgets':
    974                 $this->_screen_settings = '<p><a id="access-on" href="widgets.php?widgets-access=on">' . __('Enable accessibility mode') . '</a><a id="access-off" href="widgets.php?widgets-access=off">' . __('Disable accessibility mode') . "</a></p>\n";
     974                $nonce = wp_create_nonce( 'widgets-access' );
     975                $this->_screen_settings = '<p><a id="access-on" href="widgets.php?widgets-access=on&_wpnonce=' . urlencode( $nonce ) . '">' . __('Enable accessibility mode') . '</a><a id="access-off" href="widgets.php?widgets-access=off&_wpnonce=' . urlencode( $nonce ) . '">' . __('Disable accessibility mode') . "</a></p>\n";
    975976                break;
    976977            case 'post' :

  • branches/4.2/src/wp-admin/widgets.php

    r32116 r39766  
    1818$widgets_access = get_user_setting( 'widgets_access' );
    1919if ( isset($_GET['widgets-access']) ) {
     20    check_admin_referer( 'widgets-access' );
     21
    2022    $widgets_access = 'on' == $_GET['widgets-access'] ? 'on' : 'off';
    2123    set_user_setting( 'widgets_access', $widgets_access );
Note: See TracChangeset for help on using the changeset viewer.