WordPress.org

Plugin Directory


Ignore:
Timestamp:
02/04/15 22:13:27 (2 years ago)
Author:
moskis
Message:

fix security issue (thanks to mickaelb for reporting and Konstantin Kovshenin for providing the fix)

Location:
fancybox-for-wordpress/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • fancybox-for-wordpress/trunk/admin.php

    r566930 r1082625  
    8282    <form method="post" action=""> 
    8383        <div style="text-align:center;padding:0 0 1.5em;margin:-15px 0 5px;"> 
     84            <?php wp_nonce_field( 'mfbfw-options-reset' ); ?> 
    8485            <input type="submit" name="mfbfw_update" id="reset" onClick="return confirmDefaults();" class="button-secondary" value="<?php esc_attr_e( 'Revert to defaults', 'mfbfw' ); ?>" /> 
    8586            <input type="hidden" name="action" value="reset" /> 
  • fancybox-for-wordpress/trunk/fancybox.php

    r566930 r1082625  
    342342    if ( isset($_GET['page']) && $_GET['page'] == 'fancybox-for-wordpress' ) { 
    343343 
    344         if ( isset($_REQUEST['action']) && 'update' == $_REQUEST['action'] ) { 
    345  
    346             $settings = stripslashes_deep( $_POST['mfbfw'] ); 
    347             $settings = array_map( 'convert_chars', $settings ); 
    348  
    349             update_option( 'mfbfw', $settings ); 
    350             wp_safe_redirect( add_query_arg('updated', 'true') ); 
    351             die; 
    352  
    353         } else if ( isset($_REQUEST['action']) && 'reset' == $_REQUEST['action'] ) { 
     344        if ( isset($_REQUEST['action']) && 'reset' == $_REQUEST['action'] && check_admin_referer( 'mfbfw-options-options' ) ) { 
    354345 
    355346            $defaults_array = mfbfw_defaults(); // Store defaults in an array 
Note: See TracChangeset for help on using the changeset viewer.