From 30dcdb6b49b6b803db01a29b34196d000750ad67 Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Sat, 2 Sep 2006 22:05:37 +0000
Subject: [PATCH] Nonce delete comment.  Props mdawaffe. fixes #3103

git-svn-id: http://svn.automattic.com/wordpress/trunk@4162 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/admin-ajax.php        | 13 ++++++-------
 wp-admin/cat-js.php            | 33 ++++++---------------------------
 wp-admin/custom-fields.js      |  8 ++++----
 wp-admin/edit-form-comment.php |  4 ++--
 wp-includes/script-loader.php  |  4 +++-
 5 files changed, 21 insertions(+), 41 deletions(-)

diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php
index 0beb5bca0a..0536f44336 100644
--- a/wp-admin/admin-ajax.php
+++ b/wp-admin/admin-ajax.php
@@ -5,7 +5,6 @@ require_once('admin-db.php');
 
 define('DOING_AJAX', true);
 
-
 check_ajax_referer();
 if ( !is_user_logged_in() )
 	die('-1');
@@ -17,7 +16,7 @@ function wp_ajax_echo_meta( $pid, $mid, $key, $value ) {
 	$value = wp_specialchars($value, true);
 	$key_js = addslashes(wp_specialchars($key, 'double'));
 	$key = wp_specialchars($key, true);
-	$r  = "<meta><id>$mid</id><postid>$pid</postid><newitem><![CDATA[<table><tbody>";
+	$r  = "<meta><id>$mid</id><postid>$pid</postid><newitem><![CDATA[";
 	$r .= "<tr id='meta-$mid'><td valign='top'>";
 	$r .= "<input name='meta[$mid][key]' tabindex='6' onkeypress='return killSubmit(\"theList.ajaxUpdater(&#039;meta&#039;,&#039;meta-$mid&#039;);\",event);' type='text' size='20' value='$key' />";
 	$r .= "</td><td><textarea name='meta[$mid][value]' tabindex='6' rows='2' cols='30'>$value</textarea></td><td align='center'>";
@@ -25,7 +24,7 @@ function wp_ajax_echo_meta( $pid, $mid, $key, $value ) {
 	$r .= "<input name='deletemeta[$mid]' type='submit' onclick=\"return deleteSomething( 'meta', $mid, '";
 	$r .= sprintf(__("You are about to delete the &quot;%s&quot; custom field on this post.\\n&quot;OK&quot; to delete, &quot;Cancel&quot; to stop."), $key_js);
 	$r .= "' );\" class='deletemeta' tabindex='6' value='Delete' />";
-	$r .= "</td></tr></tbody></table>]]></newitem></meta>";
+	$r .= "</td></tr>]]></newitem></meta>";
 	return $r;
 }
 
@@ -148,9 +147,9 @@ case 'add-cat' : // From Manage->Categories
 	$cat_full_name = wp_specialchars( $cat_full_name, 1 );
 
 	$r  = "<?xml version='1.0' standalone='yes'?><ajaxresponse>";
-	$r .= "<cat><id>$cat->cat_ID</id><name>$cat_full_name</name><newitem><![CDATA[<table><tbody>";
+	$r .= "<cat><id>$cat->cat_ID</id><name>$cat_full_name</name><newitem><![CDATA[";
 	$r .= _cat_row( $cat, $level, $cat_full_name );
-	$r .= "</tbody></table>]]></newitem></cat></ajaxresponse>";
+	$r .= "]]></newitem></cat></ajaxresponse>";
 	header('Content-type: text/xml');
 	die($r);
 	break;
@@ -207,9 +206,9 @@ case 'add-user' :
 	} elseif ( !$user_id ) {
 		die('0');
 	}
-	$r  = "<?xml version='1.0' standalone='yes'?><ajaxresponse><user><id>$user_id</id><newitem><![CDATA[<table><tbody>";
+	$r  = "<?xml version='1.0' standalone='yes'?><ajaxresponse><user><id>$user_id</id><newitem><![CDATA[";
 	$r .= user_row( $user_id );
-	$r .= "</tbody></table>]]></newitem></user></ajaxresponse>";
+	$r .= "]]></newitem></user></ajaxresponse>";
 	header('Content-type: text/xml');
 	die($r);
 	break;
diff --git a/wp-admin/cat-js.php b/wp-admin/cat-js.php
index c286168c72..2eb6001fb8 100644
--- a/wp-admin/cat-js.php
+++ b/wp-admin/cat-js.php
@@ -5,31 +5,10 @@ cache_javascript_headers();
 addLoadEvent(function(){catList=new listMan('categorychecklist');catList.ajaxRespEl='jaxcat';catList.topAdder=1;catList.alt=0;catList.showLink=0;});
 addLoadEvent(newCatAddIn);
 function newCatAddIn() {
-	if ( !document.getElementById('jaxcat') ) return false;
-	var ajaxcat = document.createElement('span');
-	ajaxcat.id = 'ajaxcat';
-
-	newcat = document.createElement('input');
-	newcat.type = 'text';
-	newcat.name = 'newcat';
-	newcat.id = 'newcat';
-	newcat.size = '16';
-	newcat.setAttribute('autocomplete', 'off');
-	newcat.onkeypress = function(e) { return killSubmit("catList.ajaxAdder('category','categorydiv');", e); };
-
-	var newcatSub = document.createElement('input');
-	newcatSub.type = 'button';
-	newcatSub.name = 'Button';
-	newcatSub.id = 'catadd';
-	newcatSub.value = 'Add';
-	newcatSub.onclick = function() { catList.ajaxAdder('category', 'categorydiv'); };
-
-	ajaxcat.appendChild(newcat);
-	ajaxcat.appendChild(newcatSub);
-	document.getElementById('jaxcat').appendChild(ajaxcat);
-
-	howto = document.createElement('span');
-	howto.innerHTML = "<?php _e('Separate multiple categories with commas.'); ?>";
-	howto.id = 'howto';
-	ajaxcat.appendChild(howto);
+	var jaxcat = $('jaxcat');
+	if ( !jaxcat )
+		return false;
+	jaxcat.update('<span id="ajaxcat"><input type="text" name="newcat" id="newcat" size="16" autocomplete="off"/><input type="button" name="Button" id="catadd" value="Add"/><span id="howto"><?php _e('Separate multiple categories with commas.'); ?></span></span>');
+	$('newcat').onkeypress = function(e) { return killSubmit("catList.ajaxAdder('category','jaxcat');", e); };
+	$('catadd').onclick = function() { catList.ajaxAdder('category', 'jaxcat'); };
 }
diff --git a/wp-admin/custom-fields.js b/wp-admin/custom-fields.js
index e86c87ebd6..d463ddcebf 100644
--- a/wp-admin/custom-fields.js
+++ b/wp-admin/custom-fields.js
@@ -1,8 +1,8 @@
 function customFieldsOnComplete() {
-	var pidEl = document.getElementById('post_ID');
+	var pidEl = $('post_ID');
 	pidEl.name = 'post_ID';
 	pidEl.value = getNodeValue(theList.ajaxAdd.responseXML, 'postid');
-	var aEl = document.getElementById('hiddenaction')
+	var aEl = $('hiddenaction')
 	if ( aEl.value == 'post' ) aEl.value = 'postajaxpost';
 }
 addLoadEvent(customFieldsAddIn);
@@ -21,6 +21,6 @@ function customFieldsAddIn() {
 		}
 	}
 
-	document.getElementById('metakeyinput').onkeypress = function(e) {return killSubmit('theList.inputData+="&id="+document.getElementById("post_ID").value;theList.ajaxAdder("meta", "newmeta");', e); };
-	document.getElementById('updatemetasub').onclick = function(e) {return killSubmit('theList.inputData+="&id="+document.getElementById("post_ID").value;theList.ajaxAdder("meta", "newmeta");', e); };
+	$('metakeyinput').onkeypress = function(e) {return killSubmit('theList.inputData+="&id="+$("post_ID").value;theList.ajaxAdder("meta", "newmeta");', e); };
+	$('updatemetasub').onclick = function(e) {return killSubmit('theList.inputData+="&id="+$("post_ID").value;theList.ajaxAdder("meta", "newmeta");', e); };
 }
diff --git a/wp-admin/edit-form-comment.php b/wp-admin/edit-form-comment.php
index bbcac0b60c..b74d250757 100644
--- a/wp-admin/edit-form-comment.php
+++ b/wp-admin/edit-form-comment.php
@@ -66,8 +66,8 @@ addLoadEvent(focusit);
 <?php endif; ?>
 
 	<tr>
-		<th scope="row" valign="top"><?php _e('Delete'); ?>:</th>
-		<td><input name="deletecomment" class="button" type="submit" id="deletecomment" tabindex="10" value="<?php _e('Delete this comment') ?>" <?php echo "onclick=\"return confirm('" . __("You are about to delete this comment \\n  \'Cancel\' to stop, \'OK\' to delete.") . "')\""; ?> /> 
+		<th scope="row" valign="top"><?php _e('Delete'); $delete_nonce = wp_create_nonce( 'delete-comment_' . $comment->comment_ID ); ?>:</th>
+		<td><input name="deletecomment" class="button" type="submit" id="deletecomment" tabindex="10" value="<?php _e('Delete this comment') ?>" <?php echo "onclick=\"if ( confirm('" . __("You are about to delete this comment \\n  \'Cancel\' to stop, \'OK\' to delete.") . "') ) { document.forms.post._wpnonce.value = '$delete_nonce'; return true; } return false;\""; ?> /> 
 		<input type="hidden" name="comment" value="<?php echo $comment->comment_ID ?>" />
 		<input type="hidden" name="p" value="<?php echo $comment->comment_post_ID ?>" />
 		<input type="hidden" name="noredir" value="1" />
diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php
index d5a8986134..7ebcdae27c 100644
--- a/wp-includes/script-loader.php
+++ b/wp-includes/script-loader.php
@@ -19,9 +19,11 @@ class WP_Scripts {
 		$this->add( 'wp_tiny_mce', '/wp-includes/js/tinymce/tiny_mce_config.php', array('tiny_mce'), '04162006' );
 		$this->add( 'prototype', '/wp-includes/js/prototype.js', false, '1.5.0');
 		$this->add( 'autosave', '/wp-includes/js/autosave.js.php', array('prototype', 'sack'), '4107');
+		$this->add( 'wp-ajax', '/wp-includes/js/wp-ajax-js.php', array('prototype'), rand());
+		$this->add( 'listman', '/wp-includes/js/list-manipulation-js.php', array('wp-ajax', 'fat'), rand());
 		if ( is_admin() ) {
 			$this->add( 'dbx-admin-key', '/wp-admin/dbx-admin-key-js.php', array('dbx'), '3651' );
-			$this->add( 'listman', '/wp-admin/list-manipulation-js.php', array('sack', 'fat'), '4042' ); // Make changeset # the correct one
+			$this->add( 'listman-old', '/wp-admin/list-manipulation-js.php', array('sack', 'fat'), '4042' ); // Make changeset # the correct one
 			$this->add( 'ajaxcat', '/wp-admin/cat-js.php', array('listman'), '3684' );
 			$this->add( 'admin-categories', '/wp-admin/categories.js', array('listman'), '3684' );
 			$this->add( 'admin-custom-fields', '/wp-admin/custom-fields.js', array('listman'), '3733' );