WordPress.org

Make WordPress Core


Ignore:
Timestamp:
03/06/2017 01:56:00 PM (3 years ago)
Author:
johnbillion
Message:

Press This: Verify intent before fetching in-page resources using Press This.

Props vortfu

Merges [40195] to the 4.7 branch.

Location:
branches/4.7
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.7

  • branches/4.7/src/wp-admin/includes/class-wp-press-this.php

    r39969 r40196  
    719719             */
    720720            if ( empty( $_POST ) && ! empty( $data['u'] ) ) {
    721                 $data = $this->source_data_fetch_fallback( $data['u'], $data );
     721                if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( $_GET['_wpnonce'], 'scan-site' ) ) {
     722                    $data = $this->source_data_fetch_fallback( $data['u'], $data );
     723                } else {
     724                    $data['errors'] = 'missing nonce';
     725                }
    722726            } else {
    723727                foreach ( array( '_images', '_embeds' ) as $type ) {
     
    12361240            'v' => ! empty( $data['v'] ) ? $data['v'] : '',
    12371241            'u' => ! empty( $data['u'] ) ? $data['u'] : '',
    1238             'hasData' => ! empty( $data ),
     1242            'hasData' => ! empty( $data ) && ! isset( $data['errors'] ),
    12391243        );
    12401244
     
    13681372        <form method="GET">
    13691373            <label for="url-scan" class="screen-reader-text"><?php _e( 'Scan site for content' ); ?></label>
    1370             <input type="url" name="u" id="url-scan" class="scan-url" value="" placeholder="<?php esc_attr_e( 'Enter a URL to scan' ) ?>" />
     1374            <input type="url" name="u" id="url-scan" class="scan-url" value="<?php echo esc_attr( $site_data['u'] ) ?>" placeholder="<?php esc_attr_e( 'Enter a URL to scan' ) ?>" />
    13711375            <input type="submit" name="url-scan-submit" id="url-scan-submit" class="scan-submit" value="<?php esc_attr_e( 'Scan' ) ?>" />
     1376            <?php wp_nonce_field( 'scan-site' ); ?>
    13721377        </form>
    13731378    </div>
Note: See TracChangeset for help on using the changeset viewer.