Changeset 40715 for branches/3.7/src
- Timestamp:
- 05/16/2017 12:22:15 PM (9 years ago)
- Location:
- branches/3.7
- Files:
-
- 4 edited
-
. (modified) (1 prop)
-
src (modified) (1 prop)
-
src/wp-admin/js/customize-controls.js (modified) (1 diff)
-
src/wp-includes/class-wp-customize-manager.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
branches/3.7
-
branches/3.7/src
- Property svn:mergeinfo changed
/trunk/src merged: 40704
- Property svn:mergeinfo changed
-
branches/3.7/src/wp-admin/js/customize-controls.js
r25681 r40715 776 776 }); 777 777 } 778 }); 779 780 // Ensure preview nonce is included with every customized request, to allow post data to be read. 781 $.ajaxPrefilter( function injectPreviewNonce( options ) { 782 if ( ! /wp_customize=on/.test( options.data ) ) { 783 return; 784 } 785 options.data += '&' + $.param({ 786 customize_preview_nonce: api.settings.nonce.preview 787 }); 778 788 }); 779 789 -
branches/3.7/src/wp-includes/class-wp-customize-manager.php
r24687 r40715 123 123 124 124 $this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null ); 125 126 /* 127 * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer 128 * application will inject the customize_preview_nonce query parameter into all Ajax requests. 129 * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out 130 * a user when a valid nonce isn't present. 131 */ 132 $has_post_data_nonce = ( 133 check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false ) 134 || 135 check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false ) 136 || 137 check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false ) 138 ); 139 if ( ! $has_post_data_nonce ) { 140 unset( $_POST['customized'] ); 141 unset( $_REQUEST['customized'] ); 142 } 125 143 126 144 if ( $this->is_theme_active() ) {
Note: See TracChangeset
for help on using the changeset viewer.