From bd8a6fc57fdf09b9b3b9a706078ec5ffead695d6 Mon Sep 17 00:00:00 2001 From: Siddharth Thevaril Date: Sat, 4 Feb 2023 12:20:38 +0530 Subject: [PATCH] fix coding standards and replace ajax referer with verify nonce --- simple-page-ordering.php | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/simple-page-ordering.php b/simple-page-ordering.php index afcea4d..f0b4100 100644 --- a/simple-page-ordering.php +++ b/simple-page-ordering.php @@ -140,8 +140,7 @@ public static function wp() { 'simple-page-ordering', 'simple_page_ordering_localized_data', array( - '_wpnonce' => wp_create_nonce( 'simple-page-ordering_' . $screen->id ), - 'screen_id' => (string) $screen->id, + '_wpnonce' => wp_create_nonce( 'simple-page-ordering-nonce' ), ) ); @@ -170,8 +169,13 @@ public static function admin_head() { $screen->add_help_tab( array( 'id' => 'simple_page_ordering_help_tab', - 'title' => 'Simple Page Ordering', - 'content' => '

' . __( 'To reposition an item, simply drag and drop the row by "clicking and holding" it anywhere (outside of the links and form controls) and moving it to its new position.', 'simple-page-ordering' ) . '

' . $reset_order . '

', + 'title' => esc_html__( 'Simple Page Ordering', 'simple-page-ordering' ), + 'content' => sprintf( + '

%s

%s', + esc_html__( 'To reposition an item, simply drag and drop the row by "clicking and holding" it anywhere (outside of the links and form controls) and moving it to its new position.', 'simple-page-ordering' ), + get_query_var( 'post_type' ), + esc_html__( 'Reset post order', 'simple-page-ordering' ) + ), ) ); } @@ -187,14 +191,12 @@ public static function ajax_simple_page_ordering() { die( - 1 ); } - // do we have a nonce that verifies? - if ( empty( $_POST['_wpnonce'] ) || empty( $_POST['screen_id'] ) ) { - // no nonce to verify... + $nonce = isset( $_POST['_wpnonce'] ) ? sanitize_key( wp_unslash( $_POST['_wpnonce'] ) ) : ''; + + if ( ! wp_verify_nonce( $nonce, 'simple-page-ordering-nonce' ) ) { die( -1 ); } - check_admin_referer( 'simple-page-ordering_' . sanitize_key( $_POST['screen_id'] ) ); - $post_id = empty( $_POST['id'] ) ? false : (int) $_POST['id']; $previd = empty( $_POST['previd'] ) ? false : (int) $_POST['previd']; $nextid = empty( $_POST['nextid'] ) ? false : (int) $_POST['nextid']; @@ -229,20 +231,19 @@ public static function ajax_simple_page_ordering() { public static function ajax_reset_simple_page_ordering() { global $wpdb; - // check and make sure we have what we need - $post_type = $_POST['post_type']; - if ( empty( $post_type ) ) { + $nonce = isset( $_POST['_wpnonce'] ) ? sanitize_key( wp_unslash( $_POST['_wpnonce'] ) ) : ''; + + if ( ! wp_verify_nonce( $nonce, 'simple-page-ordering-nonce' ) ) { die( -1 ); } - // do we have a nonce that verifies? - if ( empty( $_POST['_wpnonce'] ) || empty( $_POST['screen_id'] ) ) { - // no nonce to verify... + // check and make sure we have what we need + $post_type = isset( $_POST['post_type'] ) ? sanitize_text_field( wp_unslash( $_POST['post_type'] ) ) : ''; + + if ( empty( $post_type ) ) { die( -1 ); } - check_admin_referer( 'simple-page-ordering_' . sanitize_key( $_POST['screen_id'] ) ); - // does user have the right to manage these post objects? if ( ! self::check_edit_others_caps( $post_type ) ) { die( -1 );