Skip to content

Commit

Permalink
improved nonce handling
Browse files Browse the repository at this point in the history
  • Loading branch information
Carl Alberto committed Dec 25, 2019
1 parent 579a916 commit 0e69a44
Show file tree
Hide file tree
Showing 5 changed files with 38 additions and 44 deletions.
6 changes: 5 additions & 1 deletion assets/js/admin.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,11 @@ jQuery(document).ready(
}
}

if ( '/wp-admin/options-general.php?page=easy_symlinks_settings&tab=delete&settings-updated=true' === refer ) {
var url3 = new URL(url.origin + refer);
var page3 = url3.searchParams.get("page");
var tab3 = url3.searchParams.get("tab");
var updated3 = url3.searchParams.get("settings-updated");
if ( ( 'easy_symlinks_settings' === page3 ) && ( 'delete' === tab ) && ( 'true' === updated3 ) ) {
var redir = url.origin + '/wp-admin/options-general.php?page=easy_symlinks_settings&tab=delete';
console.log( redir );
window.location.replace( redir );
Expand Down
12 changes: 11 additions & 1 deletion assets/js/admin.min.js
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
/**
* Easy Symlink admin js.
*
* @package Easy Symlink admin/JS
*/

jQuery(document).ready(
function (e) {
var url_string = window.location.href;
Expand All @@ -14,7 +20,11 @@ jQuery(document).ready(
}
}

if ( '/wp-admin/options-general.php?page=easy_symlinks_settings&tab=delete&settings-updated=true' === refer ) {
var url3 = new URL(url.origin + refer);
var page3 = url3.searchParams.get("page");
var tab3 = url3.searchParams.get("tab");
var updated3 = url3.searchParams.get("settings-updated");
if ( ( 'easy_symlinks_settings' === page3 ) && ( 'delete' === tab ) && ( 'true' === updated3 ) ) {
var redir = url.origin + '/wp-admin/options-general.php?page=easy_symlinks_settings&tab=delete';
console.log( redir );
window.location.replace( redir );
Expand Down
31 changes: 17 additions & 14 deletions includes/class-easy-symlinks-settings.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,8 +242,14 @@ public function register_settings() {
// Check posted/selected tab.
$current_section = '';

// var_dump( $_REQUEST );
// $test = wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['caes_nonce'], 'caes_nonce' ) ) );
// $test2 = wp_verify_nonce( $_GET['caes_nonce'], 'caes_nonce' );
// var_dump( $test2 );
// var_dump( $test );

if ( isset( $_POST['tab'] ) ) {
if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['tab'] ) ) ) ) {
if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['tab'], 'caes_nonce' ) ) ) ) {
$current_section = sanitize_text_field( wp_unslash( $_POST['tab'] ) );
}
} else {
Expand Down Expand Up @@ -316,25 +322,21 @@ public function settings_page() {
$links = new Easy_Symlinks_Functions();

// Build page HTML.
$nonce = sanitize_text_field( wp_create_nonce( plugin_basename( __FILE__ ) ) );
$nonce = sanitize_text_field( wp_create_nonce( 'caes_nonce' ) );
$html = '<div class="wrap" id="' . $this->parent->token . '_settings">' . "\n";
$html .= '<h2>' . __( 'Easy Symlinks Management', 'easy-symlinks' ) . '</h2>' . "\n";

$tab = '';

if ( ! isset( $_GET['caes_nonce'] ) ) {
if ( isset( $_GET['page'] ) ) {
if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['page'] ) ) ) ) {
if ( isset( $_GET['tab'] ) && sanitize_text_field( wp_unslash( $_GET['tab'] ) ) ) {
$tab .= sanitize_text_field( wp_unslash( $_GET['tab'] ) );
}
}
// Proper nonce handling.
if ( isset( $_GET['caes_nonce'] ) ) {
$val3 = wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['caes_nonce'] ) ), 'caes_nonce' );
if ( isset( $_GET['tab'] ) && sanitize_text_field( wp_unslash( $_GET['tab'] ) ) ) {
$tab .= sanitize_text_field( wp_unslash( $_GET['tab'] ) );
}
} else {
if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['caes_nonce'] ) ) ) ) {
if ( isset( $_GET['tab'] ) && sanitize_text_field( wp_unslash( $_GET['tab'] ) ) ) {
$tab .= sanitize_text_field( wp_unslash( $_GET['tab'] ) );
}
if ( isset( $_GET['tab'] ) && sanitize_text_field( wp_unslash( $_GET['tab'] ) ) ) {
$tab .= sanitize_text_field( wp_unslash( $_GET['tab'] ) );
}
}

Expand Down Expand Up @@ -368,7 +370,8 @@ public function settings_page() {
// Set tab link.
$tab_link = add_query_arg(
array(
'tab' => $section,
'tab' => $section,
'caes_nonce' => $nonce,
// add nonce validation here.
)
);
Expand Down
9 changes: 5 additions & 4 deletions includes/class-easy-symlinks.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,9 +119,10 @@ public function check_write() {
*/
public function savenew() {
$links = new Easy_Symlinks_Functions();
$nonce = sanitize_text_field( wp_create_nonce( plugin_basename( __FILE__ ) ) );
$nonce = sanitize_text_field( wp_create_nonce( 'savenew' ) );

if ( isset( $_GET['settings-updated'] ) ) {
if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $nonce ) ) ) ) {
if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $nonce, 'savenew' ) ) ) ) {
$updated = sanitize_text_field( wp_unslash( $_GET['settings-updated'] ) );
if ( isset( $_GET['tab'] ) ) {
$tab = sanitize_text_field( wp_unslash( $_GET['tab'] ) );
Expand All @@ -144,10 +145,10 @@ public function savenew() {
*/
public function deletelink() {
$links = new Easy_Symlinks_Functions();
$nonce = wp_verify_nonce( sanitize_text_field( wp_unslash( plugin_basename( __FILE__ ) ) ) );
$nonce = sanitize_text_field( wp_create_nonce( 'deletelink' ) );

if ( isset( $_GET['settings-updated'] ) ) {
if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $nonce ) ) ) ) {
if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $nonce, 'deletelink' ) ) ) ) {
if ( isset( $_GET['tab'] ) ) {
$updated = sanitize_text_field( wp_unslash( $_GET['settings-updated'] ) );
$tab = sanitize_text_field( wp_unslash( $_GET['tab'] ) );
Expand Down
24 changes: 0 additions & 24 deletions includes/lib/class-easy-symlinks-admin-api.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,30 +204,6 @@ public function display_field( $data = array(), $post = null, $echo = true ) {
echo wp_kses( $html, $this->allowed_htmls );
}

/**
* Validate form field
*
* @param string $data Submitted value.
* @param string $type Type of field to validate.
* @return string Validated value
*/
public function validate_field( $data = '', $type = 'text' ) {

switch ( $type ) {
case 'text':
$data = esc_attr( $data );
break;
case 'url':
$data = esc_url( $data );
break;
case 'email':
$data = is_email( $data );
break;
}

return $data;
}

/**
* Allowed html.
*
Expand Down

0 comments on commit 0e69a44

Please sign in to comment.