WordPress.org
Get WordPress

Make WordPress Core

Changeset 40707


Ignore:
Timestamp:
05/16/2017 12:15:06 PM (8 years ago)
Author:
ocean90
Message:

Customize: Ignore invalid customization sessions.

Merge of [40704] to the 4.5 branch.

Location:
branches/4.5
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • branches/4.5

  • branches/4.5/src/wp-admin/customize.php

    r36606r40707 
    133133                <div class="accordion-section-title">
    134134                    <span class="preview-notice"><?php
    135                         echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name' ) . '</strong>' );
     135                        echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name', 'display' ) . '</strong>' );
    136136                    ?></span>
    137137                    <button class="customize-help-toggle dashicons dashicons-editor-help" aria-expanded="false"><span class="screen-reader-text"><?php _e( 'Help' ); ?></span></button>

  • branches/4.5/src/wp-admin/js/customize-controls.js

    r37167r40707 
    33973397        });
    33983398
     3399        // Ensure preview nonce is included with every customized request, to allow post data to be read.
     3400        $.ajaxPrefilter( function injectPreviewNonce( options ) {
     3401            if ( ! /wp_customize=on/.test( options.data ) ) {
     3402                return;
     3403            }
     3404            options.data += '&' + $.param({
     3405                customize_preview_nonce: api.settings.nonce.preview
     3406            });
     3407        });
     3408
    33993409        // Refresh the nonces if the preview sends updated nonces over.
    34003410        api.previewer.bind( 'nonce', function( nonce ) {

  • branches/4.5/src/wp-includes/class-wp-customize-manager.php

    r37768r40707 
    386386
    387387        show_admin_bar( false );
     388
     389        /*
     390         * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
     391         * application will inject the customize_preview_nonce query parameter into all Ajax requests.
     392         * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
     393         * a user when a valid nonce isn't present.
     394         */
     395        $has_post_data_nonce = (
     396            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
     397            ||
     398            check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
     399            ||
     400            check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
     401        );
     402        if ( ! $has_post_data_nonce ) {
     403            unset( $_POST['customized'] );
     404            unset( $_REQUEST['customized'] );
     405        }
    388406
    389407        if ( ! current_user_can( 'customize' ) ) {
Note: See TracChangeset for help on using the changeset viewer.