From 97acdb6f44223220fa33b0d62a3e6ff07804315b Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Sun, 28 May 2006 23:33:05 +0000
Subject: [PATCH] nonce and comment fixes from Juergen. fixes #2748

git-svn-id: http://svn.automattic.com/wordpress/branches/2.0@3808 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/edit-comments.php     | 8 ++++----
 wp-admin/list-manipulation.php | 1 +
 wp-admin/moderation.php        | 2 +-
 wp-admin/post.php              | 1 +
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php
index 7e88d2e7a7..5bb4c6e4d5 100644
--- a/wp-admin/edit-comments.php
+++ b/wp-admin/edit-comments.php
@@ -98,13 +98,13 @@ if ('view' == $mode) {
         <p><?php _e('Posted'); echo ' '; comment_date('M j, g:i A');  
 			if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
 				echo " | <a href=\"post.php?action=editcomment&amp;comment=".$comment->comment_ID."\">" . __('Edit Comment') . "</a>";
-				echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&amp;p=' . $post->ID . '&amp;comment=' . $comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . __("You are about to delete this comment.\\n&quot;Cancel&quot; to stop, &quot;OK&quot; to delete.") . "' );\">" . __('Delete Comment') . '</a> ';
+				echo ' | <a href="' . wp_nonce_url('post.php?action=deletecomment&amp;p=' . $post->ID . '&amp;comment=' . $comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . __("You are about to delete this comment.\\n&quot;Cancel&quot; to stop, &quot;OK&quot; to delete.") . "' );\">" . __('Delete Comment') . '</a> ';
 			} // end if any comments to show
 			// Get post title
 			if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
 				$post_title = $wpdb->get_var("SELECT post_title FROM $wpdb->posts WHERE ID = $comment->comment_post_ID");
 				$post_title = ('' == $post_title) ? "# $comment->comment_post_ID" : $post_title;
-				?> <a href="post.php?action=edit&amp;post=<?php echo $comment->comment_post_ID; ?>"><?php printf(__('Edit Post &#8220;%s&#8221;'), stripslashes($post_title)); ?></a>
+				?> | <a href="post.php?action=edit&amp;post=<?php echo $comment->comment_post_ID; ?>"><?php printf(__('Edit Post &#8220;%s&#8221;'), stripslashes($post_title)); ?></a>
 				<?php } ?>
 			 | <a href="<?php echo get_permalink($comment->comment_post_ID); ?>"><?php _e('View Post') ?></a></p>
 		</li>
@@ -151,13 +151,13 @@ if ('view' == $mode) {
     <td><?php if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
 	echo "<a href='post.php?action=editcomment&amp;comment=$comment->comment_ID' class='edit'>" .  __('Edit') . "</a>"; } ?></td>
     <td><?php if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
-            echo "<a href=\"post.php?action=deletecomment&amp;p=".$comment->comment_post_ID."&amp;comment=".$comment->comment_ID."\" onclick=\"return confirm('" . __("You are about to delete this comment\\n  \'Cancel\' to stop, \'OK\' to delete.") . "')\"    class='delete'>" . __('Delete') . "</a>"; } ?></td>
+            echo "<a href=\"" . wp_nonce_url("post.php?action=deletecomment&amp;p=".$comment->comment_post_ID."&amp;comment=".$comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . "\" onclick=\"return confirm('" . __("You are about to delete this comment.\\n  \'Cancel\' to stop, \'OK\' to delete.") . "')\"    class='delete'>" . __('Delete') . "</a>"; } ?></td>
   </tr>
 		<?php 
 		} // end foreach
 	?></table>
     <p><a href="javascript:;" onclick="checkAll(document.getElementById('deletecomments')); return false; "><?php _e('Invert Checkbox Selection') ?></a></p>
-            <p class="submit"><input type="submit" name="Submit" value="<?php _e('Delete Checked Comments') ?> &raquo;" onclick="return confirm('<?php _e("You are about to delete these comments permanently \\n  \'Cancel\' to stop, \'OK\' to delete.") ?>')" />	</p>
+            <p class="submit"><input type="submit" name="Submit" value="<?php _e('Delete Checked Comments') ?> &raquo;" onclick="return confirm('<?php _e("You are about to delete these comments permanently.\\n  \'Cancel\' to stop, \'OK\' to delete.") ?>')" />	</p>
   </form>
 <?php
 	} else {
diff --git a/wp-admin/list-manipulation.php b/wp-admin/list-manipulation.php
index 3cae284e58..014f810af6 100644
--- a/wp-admin/list-manipulation.php
+++ b/wp-admin/list-manipulation.php
@@ -2,6 +2,7 @@
 require_once('../wp-config.php');
 require_once('admin-functions.php');
 require_once('admin-db.php');
+header("Content-type: text/plain", true);
 
 if ( !is_user_logged_in() )
 	die('-1');
diff --git a/wp-admin/moderation.php b/wp-admin/moderation.php
index 0abdbf2547..514db1f324 100644
--- a/wp-admin/moderation.php
+++ b/wp-admin/moderation.php
@@ -151,7 +151,7 @@ $i = 0;
 echo '<a href="post.php?action=editcomment&amp;comment='.$comment->comment_ID.'">' . __('Edit') . '</a> | ';?>
 <a href="<?php echo get_permalink($comment->comment_post_ID); ?>"><?php _e('View Post') ?></a> | 
 <?php 
-echo " <a href=\"post.php?action=deletecomment&amp;p=".$comment->comment_post_ID."&amp;comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . __("You are about to delete this comment.\\n&quot;Cancel&quot; to stop, &quot;OK&quot; to delete.") . "' );\">" . __('Delete just this comment') . "</a> | "; ?>  <?php _e('Bulk action:') ?>
+echo " <a href=\"" . wp_nonce_url("post.php?action=deletecomment&amp;p=".$comment->comment_post_ID."&amp;comment=".$comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . __("You are about to delete this comment.\\n&quot;Cancel&quot; to stop, &quot;OK&quot; to delete.") . "' );\">" . __('Delete just this comment') . "</a> | "; ?>  <?php _e('Bulk action:') ?>
 	<input type="radio" name="comment[<?php echo $comment->comment_ID; ?>]" id="comment[<?php echo $comment->comment_ID; ?>]-approve" value="approve" /> <label for="comment[<?php echo $comment->comment_ID; ?>]-approve"><?php _e('Approve') ?></label>
 	<input type="radio" name="comment[<?php echo $comment->comment_ID; ?>]" id="comment[<?php echo $comment->comment_ID; ?>]-spam" value="spam" /> <label for="comment[<?php echo $comment->comment_ID; ?>]-spam"><?php _e('Spam') ?></label>
 	<input type="radio" name="comment[<?php echo $comment->comment_ID; ?>]" id="comment[<?php echo $comment->comment_ID; ?>]-delete" value="delete" /> <label for="comment[<?php echo $comment->comment_ID; ?>]-delete"><?php _e('Delete') ?></label>
diff --git a/wp-admin/post.php b/wp-admin/post.php
index f639a5fd2e..d608b3cd3d 100644
--- a/wp-admin/post.php
+++ b/wp-admin/post.php
@@ -203,6 +203,7 @@ case 'confirmdeletecomment':
 	echo "<input type='hidden' name='p' value='$p' />\n";
 	echo "<input type='hidden' name='comment' value='{$comment->comment_ID}' />\n";
 	echo "<input type='hidden' name='noredir' value='1' />\n";
+	wp_nonce_field('delete-comment_' .  $comment->comment_ID);
 	echo "<input type='submit' value='" . __('Yes') . "' />";
 	echo "&nbsp;&nbsp;";
 	echo "<input type='button' value='" . __('No') . "' onclick=\"self.location='". get_settings('siteurl') ."/wp-admin/edit.php?p=$p&amp;c=1#comments';\" />\n";