Skip to content

Commit

Permalink
Prevent handling XHR request if _wp_amp_action_xhr_converted query va…
Browse files Browse the repository at this point in the history 
…r absent
  • Loading branch information
@westonruter
westonruter committed Mar 21, 2018
1 parent 93b9577 commit f3218ea
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
9 changes: 8 additions & 1 deletion includes/class-amp-theme-support.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -363,7 +363,14 @@ public static function send_header( $name, $value, $args = array() ) {
* @since 0.7.0
*/
public static function handle_xhr_request() {
if ( empty( self::$purged_amp_query_vars['__amp_source_origin'] ) || empty( $_SERVER['REQUEST_METHOD'] ) || 'POST' !== $_SERVER['REQUEST_METHOD'] ) {
$is_amp_xhr = (
! empty( self::$purged_amp_query_vars['_wp_amp_action_xhr_converted'] )
&&
! empty( self::$purged_amp_query_vars['__amp_source_origin'] )
&&
( ! empty( $_SERVER['REQUEST_METHOD'] ) && 'POST' === $_SERVER['REQUEST_METHOD'] )
);
if ( ! $is_amp_xhr ) {
return;
}

Expand Down
2 changes: 2 additions & 0 deletions tests/test-class-amp-theme-support.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,8 @@ public function test_handle_xhr_request() {
AMP_Theme_Support::handle_xhr_request();
$this->assertEmpty( AMP_Theme_Support::$headers_sent );

$_GET['_wp_amp_action_xhr_converted'] = '1';

// Try bad source origin.
$_GET['__amp_source_origin'] = 'http://evil.example.com/';
$_SERVER['REQUEST_METHOD'] = 'POST';
Expand Down

0 comments on commit f3218ea

Please sign in to comment.