Skip to content

Commit b8788a1

Browse files
hunkhunk
committed
add nonce in all wp ajax calls
1 parent 381326c commit b8788a1

File tree

8 files changed

+253
-126
lines changed

8 files changed

+253
-126
lines changed

admin/mf_ajax_call.php

Lines changed: 21 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,14 @@ public function __construct(){
1010
}
1111

1212
public function resolve($data){
13+
14+
if( !check_ajax_referer( 'mf_nonce_ajax', 'security', false ) ) {
15+
mf_ajax_call::remove_upload_file();
16+
$resp = array('success' => false, 'msg' => __('Sorry, your nonce did not verify..',$mf_domain) );
17+
echo json_encode($resp);
18+
die;
19+
}
20+
1321
$type = $data['type'];
1422
if(method_exists($this, $type)){
1523
$this->$type($data);
@@ -24,10 +32,14 @@ public function mf_sort_field($data){
2432
array_walk( $order, create_function( '&$v,$k', '$v = str_replace("order_","",$v);' ));
2533

2634
if( $thing = mf_custom_fields::save_order_field( $data['group_id'], $order ) ) {
27-
print "1";
35+
$resp = array('success' => true);
36+
echo json_encode($resp);
2837
die;
2938
}
30-
print "0"; //error!
39+
40+
$resp = array('success' => false, 'msg' => __('Ups, something went wrong',$mf_domain) );
41+
echo json_encode($resp);
42+
die;
3143
}
3244
}
3345

@@ -39,9 +51,9 @@ public function check_name_post_type($data){
3951
$check = mf_posttype::check_post_type($type,$id);
4052
if($check){
4153
// exist type(name) in the system
42-
$resp = array('success' => 0, 'msg' => __('The Type(name) of Post type exist,Please choose a different type(name).',$mf_domain) );
54+
$resp = array('success' => false, 'msg' => __('The Type(name) of Post type exist,Please choose a different type(name).',$mf_domain) );
4355
}else{
44-
$resp = array('success' => 1);
56+
$resp = array('success' => true);
4557
}
4658
echo json_encode($resp);
4759
}
@@ -52,11 +64,11 @@ public function check_name_custom_group($data){
5264
$name = $data['group_name'];
5365
$post_type = $data['post_type'];
5466
$id = $data['group_id'];
55-
$resp = array('success' => 1);
67+
$resp = array('success' => true);
5668

5769
$check = mf_custom_group::check_group($name,$post_type,$id);
5870
if($check){
59-
$resp = array('success' => 0, 'msg' => __('The name of Group exist in this post type, Please choose a different name.',$mf_domain) );
71+
$resp = array('success' => false, 'msg' => __('The name of Group exist in this post type, Please choose a different name.',$mf_domain) );
6072
}
6173

6274
echo json_encode($resp);
@@ -68,11 +80,11 @@ public function check_name_custom_field($data){
6880
$name = $data['field_name'];
6981
$post_type = $data['post_type'];
7082
$id = $data['field_id'];
71-
$resp = array('success' => 1);
83+
$resp = array('success' => true);
7284

7385
$check = mf_custom_fields::check_group($name,$post_type,$id);
7486
if($check){
75-
$resp = array('success' => 0, 'msg' => __('The name of Field exist in this post type, Please choose a different name.',$mf_domain) );
87+
$resp = array('success' => false, 'msg' => __('The name of Field exist in this post type, Please choose a different name.',$mf_domain) );
7688
}
7789
echo json_encode($resp);
7890
}
@@ -151,10 +163,8 @@ public function set_default_categories($data){
151163
);
152164
}
153165
$wpdb->query($sql);
154-
$resp = array('success' => 1);
155-
166+
$resp = array('success' => true);
156167
//update_post_meta(-2, $post_type, $cats);
157-
158168
echo json_encode($resp);
159169
}
160170

@@ -172,13 +182,6 @@ public static function remove_upload_file() {
172182
public function upload_ajax($data){
173183
global $mf_domain;
174184

175-
if( !check_ajax_referer( 'mf_nonce_ajax', 'security', false ) ) {
176-
mf_ajax_call::remove_upload_file();
177-
$resp = array('success' => false, 'msg' => __('Sorry, your nonce did not verify..',$mf_domain) );
178-
echo json_encode($resp);
179-
die;
180-
}
181-
182185
if ( !current_user_can('upload_files') ){
183186
mf_ajax_call::remove_upload_file();
184187
$resp = array('success' => false, 'msg' => __('You do not have sufficient permissions to upload images.',$mf_domain) );

admin/mf_post.php

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -403,13 +403,22 @@ function mf_get_post_values( $post_id ) {
403403

404404
/* enqueue css and js base for post area*/
405405
public function load_js_css_base(){
406-
global $mf_domain;
407-
406+
408407
wp_enqueue_style( 'mf_field_base', MF_BASENAME.'css/mf_field_base.css' );
409408
wp_enqueue_script( 'tmpl', MF_BASENAME.'js/third_party/jquery.tmpl.js');
410409
wp_enqueue_script( 'mf_field_base', MF_BASENAME.'js/mf_field_base.js');
411410
wp_enqueue_script( 'mf_sortable_groups', MF_BASENAME.'js/mf_sortable_groups.js', array( 'jquery-ui-sortable' ) );
412411

412+
mf_post::load_js_localize();
413+
414+
}
415+
416+
public static function load_js_localize() {
417+
418+
global $mf_domain;
419+
420+
wp_enqueue_script( 'mf_clean', MF_BASENAME.'js/mf_clean.js');
421+
413422
$mceAddString = "mceAddControl";
414423
$mceRemoveString = "mceRemoveControl";
415424
if(is_wp39()){
@@ -427,8 +436,7 @@ public function load_js_css_base(){
427436
'mf_mceRemoveString' => $mceRemoveString,
428437
'mf_nonce_ajax' => wp_create_nonce( "mf_nonce_ajax" )
429438
);
430-
wp_localize_script( 'mf_field_base', 'mf_js', $js_vars );
431-
439+
wp_localize_script( 'mf_clean', 'mf_js', $js_vars );
432440
}
433441

434442
/* enqueue css and js of fields */

0 commit comments

Comments
 (0)