Make WordPress Core

Changeset 5386


Ignore:
Timestamp:
05/04/2007 05:52:57 PM (18 years ago)
Author:
ryan
Message:

Do a cap check at the top of widgets since it won't always inherit the menu cap check.

Location:
branches/2.2
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/2.2/wp-admin/custom-header.php

    r5364 r5386  
    2424
    2525        if ( isset( $_POST['textcolor'] ) ) {
     26            check_admin_referer('custom-header');
    2627            if ( 'blank' == $_POST['textcolor'] ) {
    2728                set_theme_mod('header_textcolor', 'blank');
     
    3233            }
    3334        }
    34         if ( isset($_POST['resetheader']) )
     35        if ( isset($_POST['resetheader']) ) {
     36            check_admin_referer('custom-header');
    3537            remove_theme_mods();
     38        }
    3639    ?>
    3740<script type="text/javascript">
     
    158161<p><?php _e('This is your header image. You can change the text color or upload and crop a new image.'); ?></p>
    159162
    160 <div id="headimg" style="background: url(<?php header_image() ?>) no-repeat;">
     163<div id="headimg" style="background: url(<?php clean_url(header_image()) ?>) no-repeat;">
    161164<h1><a onclick="return false;" href="<?php bloginfo('url'); ?>" title="<?php bloginfo('name'); ?>" id="name"><?php bloginfo('name'); ?></a></h1>
    162165<div id="desc"><?php bloginfo('description');?></div>
     
    166169<input type="button" value="<?php _e('Hide Text'); ?>" onclick="hide_text()" id="hidetext" />
    167170<input type="button" value="<?php _e('Select a Text Color'); ?>" onclick="colorSelect($('textcolor'), 'pickcolor')" id="pickcolor" /><input type="button" value="<?php _e('Use Original Color'); ?>" onclick="colorDefault()" id="defaultcolor" />
    168 <input type="hidden" name="textcolor" id="textcolor" value="#<?php header_textcolor() ?>" /><input name="submit" type="submit" value="<?php _e('Save Changes'); ?> &raquo;" /></form>
     171<?php wp_nonce_field('custom-header') ?>
     172<input type="hidden" name="textcolor" id="textcolor" value="#<?php attribute_escape(header_textcolor()) ?>" /><input name="submit" type="submit" value="<?php _e('Save Changes'); ?> &raquo;" /></form>
    169173<?php } ?>
    170174
     
    178182<label for="upload"><?php _e('Choose an image from your computer:'); ?></label><br /><input type="file" id="upload" name="import" />
    179183<input type="hidden" name="action" value="save" />
     184<?php wp_nonce_field('custom-header') ?>
    180185<p class="submit">
    181186<input type="submit" value="<?php _e('Upload'); ?> &raquo;" />
     
    198203
    199204    function step_2() {
     205        check_admin_referer('custom-header');
    200206        $overrides = array('test_form' => false);
    201207        $file = wp_handle_upload($_FILES['import'], $overrides);
     
    223229
    224230        if ( $width == HEADER_IMAGE_WIDTH && $height == HEADER_IMAGE_HEIGHT ) {
    225             set_theme_mod('header_image', $url);
     231            set_theme_mod('header_image', clean_url($url));
    226232            $header = apply_filters('wp_create_file_in_uploads', $file, $id); // For replication
    227233            return $this->finished();
     
    257263<input type="hidden" name="attachment_id" id="attachment_id" value="<?php echo $id; ?>" />
    258264<input type="hidden" name="oitar" id="oitar" value="<?php echo $oitar; ?>" />
     265<?php wp_nonce_field('custom-header') ?>
    259266<input type="submit" value="<?php _e('Crop Header &raquo;'); ?>" />
    260267</p>
     
    266273
    267274    function step_3() {
     275        check_admin_referer('custom-header');
    268276        if ( $_POST['oitar'] > 1 ) {
    269277            $_POST['x1'] = $_POST['x1'] * $_POST['oitar'];
  • branches/2.2/wp-admin/widgets.php

    r5343 r5386  
    22
    33require_once 'admin.php';
     4
     5if ( ! current_user_can('edit_themes') )
     6    wp_die( __( 'Cheatin&#8217; uh?' ));
    47
    58wp_enqueue_script( 'scriptaculous-effects' );
     
    351354       
    352355            <p class="submit">
    353             <?php
    354                 if ( function_exists( 'wp_nonce_field' ) ) {
    355                     wp_nonce_field( 'widgets-save-widget-order' );
    356                 }
    357             ?>
     356            <?php wp_nonce_field( 'widgets-save-widget-order' ); ?>
    358357                <input type="hidden" name="action" id="action" value="save_widget_order" />
    359358                <input type="submit" value="<?php _e( 'Save Changes &raquo;' ); ?>" />
  • branches/2.2/wp-content/themes/default/functions.php

    r5151 r5386  
    8383    if ( $_GET['page'] == basename(__FILE__) ) {
    8484        if ( 'save' == $_REQUEST['action'] ) {
     85            check_admin_referer('kubrick-header');
    8586            if ( isset($_REQUEST['njform']) ) {
    8687                if ( isset($_REQUEST['defaults']) ) {
     
    9192                    if ( '' == $_REQUEST['njfontcolor'] )
    9293                        delete_option('kubrick_header_color');
    93                     else
    94                         update_option('kubrick_header_color', $_REQUEST['njfontcolor']);
    95 
     94                    else {
     95                        $fontcolor = preg_replace('/^.*(#[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['njfontcolor']);
     96                        update_option('kubrick_header_color', $fontcolor);
     97                    }
    9698                    if ( preg_match('/[0-9A-F]{6}|[0-9A-F]{3}/i', $_REQUEST['njuppercolor'], $uc) && preg_match('/[0-9A-F]{6}|[0-9A-F]{3}/i', $_REQUEST['njlowercolor'], $lc) ) {
    9799                        $uc = ( strlen($uc[0]) == 3 ) ? $uc[0]{0}.$uc[0]{0}.$uc[0]{1}.$uc[0]{1}.$uc[0]{2}.$uc[0]{2} : $uc[0];
     
    110112
    111113                if ( isset($_REQUEST['headerimage']) ) {
     114                    check_admin_referer('kubrick-header');
    112115                    if ( '' == $_REQUEST['headerimage'] )
    113116                        delete_option('kubrick_header_image');
    114                     else
    115                         update_option('kubrick_header_image', $_REQUEST['headerimage']);
     117                    else {
     118                        $headerimage = preg_replace('/^.*?(header-img.php\?upper=[0-9a-fA-F]{6}&lower=[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['headerimage']);
     119                        update_option('kubrick_header_image', $headerimage);
     120                    }
    116121                }
    117122
    118123                if ( isset($_REQUEST['fontcolor']) ) {
     124                    check_admin_referer('kubrick-header');
    119125                    if ( '' == $_REQUEST['fontcolor'] )
    120126                        delete_option('kubrick_header_color');
    121                     else
    122                         update_option('kubrick_header_color', $_REQUEST['fontcolor']);
     127                    else {
     128                        $fontcolor = preg_replace('/^.*?(#[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['fontcolor']);
     129                        update_option('kubrick_header_color', $fontcolor);
     130                    }
    123131                }
    124132
    125133                if ( isset($_REQUEST['fontdisplay']) ) {
     134                    check_admin_referer('kubrick-header');
    126135                    if ( '' == $_REQUEST['fontdisplay'] || 'inline' == $_REQUEST['fontdisplay'] )
    127136                        delete_option('kubrick_header_display');
     
    234243    }
    235244    function kRevert() {
    236         document.getElementById('headerimage').value = '<?php echo kubrick_header_image(); ?>';
    237         document.getElementById('advuppercolor').value = document.getElementById('uppercolor').value = '#<?php echo kubrick_upper_color(); ?>';
    238         document.getElementById('advlowercolor').value = document.getElementById('lowercolor').value = '#<?php echo kubrick_lower_color(); ?>';
    239         document.getElementById('header').style.background = 'url("<?php echo kubrick_header_image_url(); ?>") center no-repeat';
     245        document.getElementById('headerimage').value = '<?php echo js_escape(kubrick_header_image()); ?>';
     246        document.getElementById('advuppercolor').value = document.getElementById('uppercolor').value = '#<?php echo js_escape(kubrick_upper_color()); ?>';
     247        document.getElementById('advlowercolor').value = document.getElementById('lowercolor').value = '#<?php echo js_escape(kubrick_lower_color()); ?>';
     248        document.getElementById('header').style.background = 'url("<?php echo js_escape(kubrick_header_image_url()); ?>") center no-repeat';
    240249        document.getElementById('header').style.color = '';
    241         document.getElementById('advfontcolor').value = document.getElementById('fontcolor').value = '<?php echo kubrick_header_color_string(); ?>';
    242         document.getElementById('fontdisplay').value = '<?php echo kubrick_header_display_string(); ?>';
     250        document.getElementById('advfontcolor').value = document.getElementById('fontcolor').value = '<?php echo js_escape(kubrick_header_color_string()); ?>';
     251        document.getElementById('fontdisplay').value = '<?php echo js_escape(kubrick_header_display_string()); ?>';
    243252        document.getElementById('headerimg').style.display = document.getElementById('fontdisplay').value;
    244253    }
     
    362371        <div id="nonJsForm">
    363372            <form method="post" action="">
     373                <?php wp_nonce_field('kubrick-header'); ?>
    364374                <div class="zerosize"><input type="submit" name="defaultsubmit" value="Save" /></div>
    365                 <label for="njfontcolor">Font Color:</label><input type="text" name="njfontcolor" id="njfontcolor" value="<?php echo kubrick_header_color(); ?>" /> Any CSS color (<code>red</code> or <code>#FF0000</code> or <code>rgb(255, 0, 0)</code>)<br />
    366                 <label for="njuppercolor">Upper Color:</label><input type="text" name="njuppercolor" id="njuppercolor" value="#<?php echo kubrick_upper_color(); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
    367                 <label for="njlowercolor">Lower Color:</label><input type="text" name="njlowercolor" id="njlowercolor" value="#<?php echo kubrick_lower_color(); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
    368                 <input type="hidden" name="hi" id="hi" value="<?php echo kubrick_header_image(); ?>" />
     375                <label for="njfontcolor">Font Color:</label><input type="text" name="njfontcolor" id="njfontcolor" value="<?php echo attribute_escape(kubrick_header_color()); ?>" /> Any CSS color (<code>red</code> or <code>#FF0000</code> or <code>rgb(255, 0, 0)</code>)<br />
     376                <label for="njuppercolor">Upper Color:</label><input type="text" name="njuppercolor" id="njuppercolor" value="#<?php echo attribute_escape(kubrick_upper_color()); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
     377                <label for="njlowercolor">Lower Color:</label><input type="text" name="njlowercolor" id="njlowercolor" value="#<?php echo attribute_escape(kubrick_lower_color()); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
     378                <input type="hidden" name="hi" id="hi" value="<?php echo attribute_escape(kubrick_header_image()); ?>" />
    369379                <input type="submit" name="toggledisplay" id="toggledisplay" value="Toggle Text" />
    370380                <input type="submit" name="defaults" value="Use Defaults" />
     
    376386        <div id="jsForm">
    377387            <form style="display:inline;" method="post" name="hicolor" id="hicolor" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
     388                <?php wp_nonce_field('kubrick-header'); ?>
    378389                <input type="button" onclick="tgt=document.getElementById('fontcolor');colorSelect(tgt,'pick1');return false;" name="pick1" id="pick1" value="Font Color"></input>
    379390                <input type="button" onclick="tgt=document.getElementById('uppercolor');colorSelect(tgt,'pick2');return false;" name="pick2" id="pick2" value="Upper Color"></input>
     
    382393                <input type="button" value="Advanced" onclick="toggleAdvanced()" />
    383394                <input type="hidden" name="action" value="save" />
    384                 <input type="hidden" name="fontdisplay" id="fontdisplay" value="<?php echo kubrick_header_display(); ?>" />
    385                 <input type="hidden" name="fontcolor" id="fontcolor" value="<?php echo kubrick_header_color(); ?>" />
    386                 <input type="hidden" name="uppercolor" id="uppercolor" value="<?php echo kubrick_upper_color(); ?>" />
    387                 <input type="hidden" name="lowercolor" id="lowercolor" value="<?php echo kubrick_lower_color(); ?>" />
    388                 <input type="hidden" name="headerimage" id="headerimage" value="<?php echo kubrick_header_image(); ?>" />
     395                <input type="hidden" name="fontdisplay" id="fontdisplay" value="<?php echo attribute_escape(kubrick_header_display()); ?>" />
     396                <input type="hidden" name="fontcolor" id="fontcolor" value="<?php echo attribute_escape(kubrick_header_color()); ?>" />
     397                <input type="hidden" name="uppercolor" id="uppercolor" value="<?php echo attribute_escape(kubrick_upper_color()); ?>" />
     398                <input type="hidden" name="lowercolor" id="lowercolor" value="<?php echo attribute_escape(kubrick_lower_color()); ?>" />
     399                <input type="hidden" name="headerimage" id="headerimage" value="<?php echo attribute_escape(kubrick_header_image()); ?>" />
    389400                <p class="submit"><input type="submit" name="submitform" class="defbutton" value="<?php _e('Update Header &raquo;'); ?>" onclick="cp.hidePopup('prettyplease')" /></p>
    390401            </form>
     
    392403            <div id="advanced">
    393404                <form id="jsAdvanced" style="display:none;" action="">
    394                     <label for="advfontcolor">Font Color (CSS): </label><input type="text" id="advfontcolor" onchange="advUpdate(this.value, 'fontcolor')" value="<?php echo kubrick_header_color(); ?>" /><br />
    395                     <label for="advuppercolor">Upper Color (HEX): </label><input type="text" id="advuppercolor" onchange="advUpdate(this.value, 'uppercolor')" value="#<?php echo kubrick_upper_color(); ?>" /><br />
    396                     <label for="advlowercolor">Lower Color (HEX): </label><input type="text" id="advlowercolor" onchange="advUpdate(this.value, 'lowercolor')" value="#<?php echo kubrick_lower_color(); ?>" /><br />
     405                    <?php wp_nonce_field('kubrick-header'); ?>
     406                    <label for="advfontcolor">Font Color (CSS): </label><input type="text" id="advfontcolor" onchange="advUpdate(this.value, 'fontcolor')" value="<?php echo attribute_escape(kubrick_header_color()); ?>" /><br />
     407                    <label for="advuppercolor">Upper Color (HEX): </label><input type="text" id="advuppercolor" onchange="advUpdate(this.value, 'uppercolor')" value="#<?php echo attribute_escape(kubrick_upper_color()); ?>" /><br />
     408                    <label for="advlowercolor">Lower Color (HEX): </label><input type="text" id="advlowercolor" onchange="advUpdate(this.value, 'lowercolor')" value="#<?php echo attribute_escape(kubrick_lower_color()); ?>" /><br />
    397409                    <input type="button" name="default" value="Select Default Colors" onclick="kDefaults()" /><br />
    398410                    <input type="button" onclick="toggleDisplay();return false;" name="pick" id="pick" value="Toggle Text Display"></input><br />
Note: See TracChangeset for help on using the changeset viewer.