Customize: Ignore invalid customization sessions.
Merge of [40704] to the 4.7 branch. Built from https://develop.svn.wordpress.org/branches/4.7@40705 git-svn-id: http://core.svn.wordpress.org/branches/4.7@40568 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
0f3180de02
commit
2d7fa9d0dc
|
@ -155,7 +155,7 @@ do_action( 'customize_controls_print_scripts' );
|
||||||
<div id="customize-info" class="accordion-section customize-info">
|
<div id="customize-info" class="accordion-section customize-info">
|
||||||
<div class="accordion-section-title">
|
<div class="accordion-section-title">
|
||||||
<span class="preview-notice"><?php
|
<span class="preview-notice"><?php
|
||||||
echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name' ) . '</strong>' );
|
echo sprintf( __( 'You are customizing %s' ), '<strong class="panel-title site-title">' . get_bloginfo( 'name', 'display' ) . '</strong>' );
|
||||||
?></span>
|
?></span>
|
||||||
<button type="button" class="customize-help-toggle dashicons dashicons-editor-help" aria-expanded="false"><span class="screen-reader-text"><?php _e( 'Help' ); ?></span></button>
|
<button type="button" class="customize-help-toggle dashicons dashicons-editor-help" aria-expanded="false"><span class="screen-reader-text"><?php _e( 'Help' ); ?></span></button>
|
||||||
</div>
|
</div>
|
||||||
|
|
|
@ -4579,6 +4579,16 @@
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
// Ensure preview nonce is included with every customized request, to allow post data to be read.
|
||||||
|
$.ajaxPrefilter( function injectPreviewNonce( options ) {
|
||||||
|
if ( ! /wp_customize=on/.test( options.data ) ) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
options.data += '&' + $.param({
|
||||||
|
customize_preview_nonce: api.settings.nonce.preview
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
// Refresh the nonces if the preview sends updated nonces over.
|
// Refresh the nonces if the preview sends updated nonces over.
|
||||||
api.previewer.bind( 'nonce', function( nonce ) {
|
api.previewer.bind( 'nonce', function( nonce ) {
|
||||||
$.extend( this.nonce, nonce );
|
$.extend( this.nonce, nonce );
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -484,6 +484,24 @@ final class WP_Customize_Manager {
|
||||||
$this->wp_die( -1, __( 'Invalid changeset UUID' ) );
|
$this->wp_die( -1, __( 'Invalid changeset UUID' ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
|
||||||
|
* application will inject the customize_preview_nonce query parameter into all Ajax requests.
|
||||||
|
* For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
|
||||||
|
* a user when a valid nonce isn't present.
|
||||||
|
*/
|
||||||
|
$has_post_data_nonce = (
|
||||||
|
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
|
||||||
|
||
|
||||||
|
check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
|
||||||
|
||
|
||||||
|
check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
|
||||||
|
);
|
||||||
|
if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
|
||||||
|
unset( $_POST['customized'] );
|
||||||
|
unset( $_REQUEST['customized'] );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If unauthenticated then require a valid changeset UUID to load the preview.
|
* If unauthenticated then require a valid changeset UUID to load the preview.
|
||||||
* In this way, the UUID serves as a secret key. If the messenger channel is present,
|
* In this way, the UUID serves as a secret key. If the messenger channel is present,
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '4.7.5-alpha-40693';
|
$wp_version = '4.7.5-alpha-40705';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
|
Loading…
Reference in New Issue