Make WordPress Core

Changeset 39771


Ignore:
Timestamp:
01/11/2017 01:53:51 AM (8 years ago)
Author:
aaroncampbell
Message:

Add nonce for widget accessibility mode.

Props vortfu.

See #23328.

Merges [39765] to 3.7 branch.

Location:
branches/3.7
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/3.7

  • branches/3.7/src

  • branches/3.7/src/wp-admin/includes/screen.php

    r24415 r39771  
    902902        switch ( $this->id ) {
    903903            case 'widgets':
    904                 $this->_screen_settings = '<p><a id="access-on" href="widgets.php?widgets-access=on">' . __('Enable accessibility mode') . '</a><a id="access-off" href="widgets.php?widgets-access=off">' . __('Disable accessibility mode') . "</a></p>\n";
     904                $nonce = wp_create_nonce( 'widgets-access' );
     905                $this->_screen_settings = '<p><a id="access-on" href="widgets.php?widgets-access=on&_wpnonce=' . urlencode( $nonce ) . '">' . __('Enable accessibility mode') . '</a><a id="access-off" href="widgets.php?widgets-access=off&_wpnonce=' . urlencode( $nonce ) . '">' . __('Disable accessibility mode') . "</a></p>\n";
    905906                break;
    906907            default:
  • branches/3.7/src/wp-admin/widgets.php

    r25881 r39771  
    1818$widgets_access = get_user_setting( 'widgets_access' );
    1919if ( isset($_GET['widgets-access']) ) {
     20    check_admin_referer( 'widgets-access' );
     21
    2022    $widgets_access = 'on' == $_GET['widgets-access'] ? 'on' : 'off';
    2123    set_user_setting( 'widgets_access', $widgets_access );
Note: See TracChangeset for help on using the changeset viewer.