Nonce delete comment. Props mdawaffe. fixes #3103

git-svn-id: http://svn.automattic.com/wordpress/trunk@4162 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2006-09-02 22:05:37 +00:00
parent 3017bb3bc8
commit 30dcdb6b49
5 changed files with 21 additions and 41 deletions

View File

@ -5,7 +5,6 @@ require_once('admin-db.php');
define('DOING_AJAX', true); define('DOING_AJAX', true);
check_ajax_referer(); check_ajax_referer();
if ( !is_user_logged_in() ) if ( !is_user_logged_in() )
die('-1'); die('-1');
@ -17,7 +16,7 @@ function wp_ajax_echo_meta( $pid, $mid, $key, $value ) {
$value = wp_specialchars($value, true); $value = wp_specialchars($value, true);
$key_js = addslashes(wp_specialchars($key, 'double')); $key_js = addslashes(wp_specialchars($key, 'double'));
$key = wp_specialchars($key, true); $key = wp_specialchars($key, true);
$r = "<meta><id>$mid</id><postid>$pid</postid><newitem><![CDATA[<table><tbody>"; $r = "<meta><id>$mid</id><postid>$pid</postid><newitem><![CDATA[";
$r .= "<tr id='meta-$mid'><td valign='top'>"; $r .= "<tr id='meta-$mid'><td valign='top'>";
$r .= "<input name='meta[$mid][key]' tabindex='6' onkeypress='return killSubmit(\"theList.ajaxUpdater(&#039;meta&#039;,&#039;meta-$mid&#039;);\",event);' type='text' size='20' value='$key' />"; $r .= "<input name='meta[$mid][key]' tabindex='6' onkeypress='return killSubmit(\"theList.ajaxUpdater(&#039;meta&#039;,&#039;meta-$mid&#039;);\",event);' type='text' size='20' value='$key' />";
$r .= "</td><td><textarea name='meta[$mid][value]' tabindex='6' rows='2' cols='30'>$value</textarea></td><td align='center'>"; $r .= "</td><td><textarea name='meta[$mid][value]' tabindex='6' rows='2' cols='30'>$value</textarea></td><td align='center'>";
@ -25,7 +24,7 @@ function wp_ajax_echo_meta( $pid, $mid, $key, $value ) {
$r .= "<input name='deletemeta[$mid]' type='submit' onclick=\"return deleteSomething( 'meta', $mid, '"; $r .= "<input name='deletemeta[$mid]' type='submit' onclick=\"return deleteSomething( 'meta', $mid, '";
$r .= sprintf(__("You are about to delete the &quot;%s&quot; custom field on this post.\\n&quot;OK&quot; to delete, &quot;Cancel&quot; to stop."), $key_js); $r .= sprintf(__("You are about to delete the &quot;%s&quot; custom field on this post.\\n&quot;OK&quot; to delete, &quot;Cancel&quot; to stop."), $key_js);
$r .= "' );\" class='deletemeta' tabindex='6' value='Delete' />"; $r .= "' );\" class='deletemeta' tabindex='6' value='Delete' />";
$r .= "</td></tr></tbody></table>]]></newitem></meta>"; $r .= "</td></tr>]]></newitem></meta>";
return $r; return $r;
} }
@ -148,9 +147,9 @@ case 'add-cat' : // From Manage->Categories
$cat_full_name = wp_specialchars( $cat_full_name, 1 ); $cat_full_name = wp_specialchars( $cat_full_name, 1 );
$r = "<?xml version='1.0' standalone='yes'?><ajaxresponse>"; $r = "<?xml version='1.0' standalone='yes'?><ajaxresponse>";
$r .= "<cat><id>$cat->cat_ID</id><name>$cat_full_name</name><newitem><![CDATA[<table><tbody>"; $r .= "<cat><id>$cat->cat_ID</id><name>$cat_full_name</name><newitem><![CDATA[";
$r .= _cat_row( $cat, $level, $cat_full_name ); $r .= _cat_row( $cat, $level, $cat_full_name );
$r .= "</tbody></table>]]></newitem></cat></ajaxresponse>"; $r .= "]]></newitem></cat></ajaxresponse>";
header('Content-type: text/xml'); header('Content-type: text/xml');
die($r); die($r);
break; break;
@ -207,9 +206,9 @@ case 'add-user' :
} elseif ( !$user_id ) { } elseif ( !$user_id ) {
die('0'); die('0');
} }
$r = "<?xml version='1.0' standalone='yes'?><ajaxresponse><user><id>$user_id</id><newitem><![CDATA[<table><tbody>"; $r = "<?xml version='1.0' standalone='yes'?><ajaxresponse><user><id>$user_id</id><newitem><![CDATA[";
$r .= user_row( $user_id ); $r .= user_row( $user_id );
$r .= "</tbody></table>]]></newitem></user></ajaxresponse>"; $r .= "]]></newitem></user></ajaxresponse>";
header('Content-type: text/xml'); header('Content-type: text/xml');
die($r); die($r);
break; break;

View File

@ -5,31 +5,10 @@ cache_javascript_headers();
addLoadEvent(function(){catList=new listMan('categorychecklist');catList.ajaxRespEl='jaxcat';catList.topAdder=1;catList.alt=0;catList.showLink=0;}); addLoadEvent(function(){catList=new listMan('categorychecklist');catList.ajaxRespEl='jaxcat';catList.topAdder=1;catList.alt=0;catList.showLink=0;});
addLoadEvent(newCatAddIn); addLoadEvent(newCatAddIn);
function newCatAddIn() { function newCatAddIn() {
if ( !document.getElementById('jaxcat') ) return false; var jaxcat = $('jaxcat');
var ajaxcat = document.createElement('span'); if ( !jaxcat )
ajaxcat.id = 'ajaxcat'; return false;
jaxcat.update('<span id="ajaxcat"><input type="text" name="newcat" id="newcat" size="16" autocomplete="off"/><input type="button" name="Button" id="catadd" value="Add"/><span id="howto"><?php _e('Separate multiple categories with commas.'); ?></span></span>');
newcat = document.createElement('input'); $('newcat').onkeypress = function(e) { return killSubmit("catList.ajaxAdder('category','jaxcat');", e); };
newcat.type = 'text'; $('catadd').onclick = function() { catList.ajaxAdder('category', 'jaxcat'); };
newcat.name = 'newcat';
newcat.id = 'newcat';
newcat.size = '16';
newcat.setAttribute('autocomplete', 'off');
newcat.onkeypress = function(e) { return killSubmit("catList.ajaxAdder('category','categorydiv');", e); };
var newcatSub = document.createElement('input');
newcatSub.type = 'button';
newcatSub.name = 'Button';
newcatSub.id = 'catadd';
newcatSub.value = 'Add';
newcatSub.onclick = function() { catList.ajaxAdder('category', 'categorydiv'); };
ajaxcat.appendChild(newcat);
ajaxcat.appendChild(newcatSub);
document.getElementById('jaxcat').appendChild(ajaxcat);
howto = document.createElement('span');
howto.innerHTML = "<?php _e('Separate multiple categories with commas.'); ?>";
howto.id = 'howto';
ajaxcat.appendChild(howto);
} }

View File

@ -1,8 +1,8 @@
function customFieldsOnComplete() { function customFieldsOnComplete() {
var pidEl = document.getElementById('post_ID'); var pidEl = $('post_ID');
pidEl.name = 'post_ID'; pidEl.name = 'post_ID';
pidEl.value = getNodeValue(theList.ajaxAdd.responseXML, 'postid'); pidEl.value = getNodeValue(theList.ajaxAdd.responseXML, 'postid');
var aEl = document.getElementById('hiddenaction') var aEl = $('hiddenaction')
if ( aEl.value == 'post' ) aEl.value = 'postajaxpost'; if ( aEl.value == 'post' ) aEl.value = 'postajaxpost';
} }
addLoadEvent(customFieldsAddIn); addLoadEvent(customFieldsAddIn);
@ -21,6 +21,6 @@ function customFieldsAddIn() {
} }
} }
document.getElementById('metakeyinput').onkeypress = function(e) {return killSubmit('theList.inputData+="&id="+document.getElementById("post_ID").value;theList.ajaxAdder("meta", "newmeta");', e); }; $('metakeyinput').onkeypress = function(e) {return killSubmit('theList.inputData+="&id="+$("post_ID").value;theList.ajaxAdder("meta", "newmeta");', e); };
document.getElementById('updatemetasub').onclick = function(e) {return killSubmit('theList.inputData+="&id="+document.getElementById("post_ID").value;theList.ajaxAdder("meta", "newmeta");', e); }; $('updatemetasub').onclick = function(e) {return killSubmit('theList.inputData+="&id="+$("post_ID").value;theList.ajaxAdder("meta", "newmeta");', e); };
} }

View File

@ -66,8 +66,8 @@ addLoadEvent(focusit);
<?php endif; ?> <?php endif; ?>
<tr> <tr>
<th scope="row" valign="top"><?php _e('Delete'); ?>:</th> <th scope="row" valign="top"><?php _e('Delete'); $delete_nonce = wp_create_nonce( 'delete-comment_' . $comment->comment_ID ); ?>:</th>
<td><input name="deletecomment" class="button" type="submit" id="deletecomment" tabindex="10" value="<?php _e('Delete this comment') ?>" <?php echo "onclick=\"return confirm('" . __("You are about to delete this comment \\n \'Cancel\' to stop, \'OK\' to delete.") . "')\""; ?> /> <td><input name="deletecomment" class="button" type="submit" id="deletecomment" tabindex="10" value="<?php _e('Delete this comment') ?>" <?php echo "onclick=\"if ( confirm('" . __("You are about to delete this comment \\n \'Cancel\' to stop, \'OK\' to delete.") . "') ) { document.forms.post._wpnonce.value = '$delete_nonce'; return true; } return false;\""; ?> />
<input type="hidden" name="comment" value="<?php echo $comment->comment_ID ?>" /> <input type="hidden" name="comment" value="<?php echo $comment->comment_ID ?>" />
<input type="hidden" name="p" value="<?php echo $comment->comment_post_ID ?>" /> <input type="hidden" name="p" value="<?php echo $comment->comment_post_ID ?>" />
<input type="hidden" name="noredir" value="1" /> <input type="hidden" name="noredir" value="1" />

View File

@ -19,9 +19,11 @@ class WP_Scripts {
$this->add( 'wp_tiny_mce', '/wp-includes/js/tinymce/tiny_mce_config.php', array('tiny_mce'), '04162006' ); $this->add( 'wp_tiny_mce', '/wp-includes/js/tinymce/tiny_mce_config.php', array('tiny_mce'), '04162006' );
$this->add( 'prototype', '/wp-includes/js/prototype.js', false, '1.5.0'); $this->add( 'prototype', '/wp-includes/js/prototype.js', false, '1.5.0');
$this->add( 'autosave', '/wp-includes/js/autosave.js.php', array('prototype', 'sack'), '4107'); $this->add( 'autosave', '/wp-includes/js/autosave.js.php', array('prototype', 'sack'), '4107');
$this->add( 'wp-ajax', '/wp-includes/js/wp-ajax-js.php', array('prototype'), rand());
$this->add( 'listman', '/wp-includes/js/list-manipulation-js.php', array('wp-ajax', 'fat'), rand());
if ( is_admin() ) { if ( is_admin() ) {
$this->add( 'dbx-admin-key', '/wp-admin/dbx-admin-key-js.php', array('dbx'), '3651' ); $this->add( 'dbx-admin-key', '/wp-admin/dbx-admin-key-js.php', array('dbx'), '3651' );
$this->add( 'listman', '/wp-admin/list-manipulation-js.php', array('sack', 'fat'), '4042' ); // Make changeset # the correct one $this->add( 'listman-old', '/wp-admin/list-manipulation-js.php', array('sack', 'fat'), '4042' ); // Make changeset # the correct one
$this->add( 'ajaxcat', '/wp-admin/cat-js.php', array('listman'), '3684' ); $this->add( 'ajaxcat', '/wp-admin/cat-js.php', array('listman'), '3684' );
$this->add( 'admin-categories', '/wp-admin/categories.js', array('listman'), '3684' ); $this->add( 'admin-categories', '/wp-admin/categories.js', array('listman'), '3684' );
$this->add( 'admin-custom-fields', '/wp-admin/custom-fields.js', array('listman'), '3733' ); $this->add( 'admin-custom-fields', '/wp-admin/custom-fields.js', array('listman'), '3733' );