Add nonce for widget accessibility mode.

Props vortfu.

See #23328.

Merges [39760] to 4.3 branch.

Built from https://develop.svn.wordpress.org/branches/4.3@39765


git-svn-id: http://core.svn.wordpress.org/branches/4.3@39703 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Aaron Campbell 2017-01-11 01:47:27 +00:00
parent 86a3e6e871
commit 8236eda6c6
2 changed files with 4 additions and 1 deletions

View File

@ -1004,7 +1004,8 @@ final class WP_Screen {
switch ( $this->base ) { switch ( $this->base ) {
case 'widgets': case 'widgets':
$this->_screen_settings = '<p><a id="access-on" href="widgets.php?widgets-access=on">' . __('Enable accessibility mode') . '</a><a id="access-off" href="widgets.php?widgets-access=off">' . __('Disable accessibility mode') . "</a></p>\n"; $nonce = wp_create_nonce( 'widgets-access' );
$this->_screen_settings = '<p><a id="access-on" href="widgets.php?widgets-access=on&_wpnonce=' . urlencode( $nonce ) . '">' . __('Enable accessibility mode') . '</a><a id="access-off" href="widgets.php?widgets-access=off&_wpnonce=' . urlencode( $nonce ) . '">' . __('Disable accessibility mode') . "</a></p>\n";
break; break;
case 'post' : case 'post' :
$expand = '<div class="editor-expand hidden"><label for="editor-expand-toggle">'; $expand = '<div class="editor-expand hidden"><label for="editor-expand-toggle">';

View File

@ -17,6 +17,8 @@ if ( ! current_user_can('edit_theme_options') )
$widgets_access = get_user_setting( 'widgets_access' ); $widgets_access = get_user_setting( 'widgets_access' );
if ( isset($_GET['widgets-access']) ) { if ( isset($_GET['widgets-access']) ) {
check_admin_referer( 'widgets-access' );
$widgets_access = 'on' == $_GET['widgets-access'] ? 'on' : 'off'; $widgets_access = 'on' == $_GET['widgets-access'] ? 'on' : 'off';
set_user_setting( 'widgets_access', $widgets_access ); set_user_setting( 'widgets_access', $widgets_access );
} }