Changeset 5386 for branches/2.2/wp-admin/custom-header.php

Timestamp:

05/04/2007 05:52:57 PM (18 years ago)

Author:

ryan

Message:

Do a cap check at the top of widgets since it won't always inherit the menu cap check.

File:

• branches/2.2/wp-admin/custom-header.php (modified) (9 diffs)

branches/2.2/wp-admin/custom-header.php

@@ -24 +24 @@
 
         if ( isset( $_POST['textcolor'] ) ) {
+            check_admin_referer('custom-header');
             if ( 'blank' == $_POST['textcolor'] ) {
                 set_theme_mod('header_textcolor', 'blank');
@@ -32 +33 @@
             }
         }
-        if ( isset($_POST['resetheader']) )
+        if ( isset($_POST['resetheader']) ) {
+            check_admin_referer('custom-header');
             remove_theme_mods();
+        }
     ?>
 <script type="text/javascript">
@@ -158 +161 @@
 <p><?php _e('This is your header image. You can change the text color or upload and crop a new image.'); ?></p>
 
-<div id="headimg" style="background: url(<?php header_image() ?>) no-repeat;">
+<div id="headimg" style="background: url(<?php clean_url(header_image()) ?>) no-repeat;">
 <h1><a onclick="return false;" href="<?php bloginfo('url'); ?>" title="<?php bloginfo('name'); ?>" id="name"><?php bloginfo('name'); ?></a></h1>
 <div id="desc"><?php bloginfo('description');?></div>
@@ -166 +169 @@
 <input type="button" value="<?php _e('Hide Text'); ?>" onclick="hide_text()" id="hidetext" />
 <input type="button" value="<?php _e('Select a Text Color'); ?>" onclick="colorSelect($('textcolor'), 'pickcolor')" id="pickcolor" /><input type="button" value="<?php _e('Use Original Color'); ?>" onclick="colorDefault()" id="defaultcolor" />
-<input type="hidden" name="textcolor" id="textcolor" value="#<?php header_textcolor() ?>" /><input name="submit" type="submit" value="<?php _e('Save Changes'); ?> &raquo;" /></form>
+<?php wp_nonce_field('custom-header') ?>
+<input type="hidden" name="textcolor" id="textcolor" value="#<?php attribute_escape(header_textcolor()) ?>" /><input name="submit" type="submit" value="<?php _e('Save Changes'); ?> &raquo;" /></form>
 <?php } ?>
 
@@ -178 +182 @@
 <label for="upload"><?php _e('Choose an image from your computer:'); ?></label><br /><input type="file" id="upload" name="import" />
 <input type="hidden" name="action" value="save" />
+<?php wp_nonce_field('custom-header') ?>
 <p class="submit">
 <input type="submit" value="<?php _e('Upload'); ?> &raquo;" />
@@ -198 +203 @@
 
     function step_2() {
+        check_admin_referer('custom-header');
         $overrides = array('test_form' => false);
         $file = wp_handle_upload($_FILES['import'], $overrides);
@@ -223 +229 @@
 
         if ( $width == HEADER_IMAGE_WIDTH && $height == HEADER_IMAGE_HEIGHT ) {
-            set_theme_mod('header_image', $url);
+            set_theme_mod('header_image', clean_url($url));
             $header = apply_filters('wp_create_file_in_uploads', $file, $id); // For replication
             return $this->finished();
@@ -257 +263 @@
 <input type="hidden" name="attachment_id" id="attachment_id" value="<?php echo $id; ?>" />
 <input type="hidden" name="oitar" id="oitar" value="<?php echo $oitar; ?>" />
+<?php wp_nonce_field('custom-header') ?>
 <input type="submit" value="<?php _e('Crop Header &raquo;'); ?>" />
 </p>
@@ -266 +273 @@
 
     function step_3() {
+        check_admin_referer('custom-header');
         if ( $_POST['oitar'] > 1 ) {
             $_POST['x1'] = $_POST['x1'] * $_POST['oitar'];