WordPress.org

Plugin Directory

Changeset 1718052


Ignore:
Timestamp:
08/23/17 10:43:54 (2 months ago)
Author:
hlashbrooke
Message:

v1.0.1 - Security update

Location:
the-final-word
Files:
8 added
4 edited

Legend:

Unmodified
Added
Removed
  • the-final-word/trunk/assets/scripts.js

    r1717954 r1718052  
    88        var comment_id = $( this ).data( 'comment_id' ); 
    99 
     10        // Get the action nonce 
     11        var nonce = $( this ).data( 'nonce' ); 
     12 
    1013        //  Set the data for the ajax request 
    1114        var data = { 
    1215            'action': 'top-comment', 
    13             'comment_id': comment_id 
     16            'comment_id': comment_id, 
     17            'nonce_data': nonce 
    1418        }; 
    1519 
     
    4246        var comment_id = $( this ).data( 'comment_id' ); 
    4347 
     48        // Get the action nonce 
     49        var nonce = $( this ).data( 'nonce' ); 
     50 
    4451        //  Set the data for the ajax request 
    4552        var data = { 
    4653            'action': 'top-comment-remove', 
    47             'comment_id': comment_id 
     54            'comment_id': comment_id, 
     55            'nonce_data': nonce 
    4856        }; 
    4957        // Post ajax request for setting top comment 
  • the-final-word/trunk/assets/scripts.min.js

    r1717954 r1718052  
    1 jQuery(document).ready(function(o){o("body").on("click",".o2-comment-top",function(t){t.preventDefault();var n={action:"top-comment",comment_id:o(this).data("comment_id")};o.post(tfw.ajaxurl,n,function(t){if(t){var n="#comment-"+t;o(n).closest(".o2-post-comments").find(".comment-display-top").remove(),o(n).closest(".o2-post-comments").find(".comment").removeClass("top-comment"),o(n).addClass("top-comment")}})}),o("body").on("click",".o2-comment-top-remove",function(t){t.preventDefault();var n={action:"top-comment-remove",comment_id:o(this).data("comment_id")};o.post(tfw.ajaxurl,n,function(t){if(t){var n="#comment-"+t;o(n).closest(".o2-post-comments").find(".comment-display-top").remove(),o(n).removeClass("top-comment")}})}),o("body").on("click",".top-comment-label a",function(t){t.preventDefault();var n="#"+o(this).data("comment_anchor"),e=o(n).offset().top-30;jQuery("html:not(:animated),body:not(:animated)").animate({scrollTop:e},800,function(){window.location.hash=n})})}); 
     1jQuery(document).ready(function(o){o("body").on("click",".o2-comment-top",function(t){t.preventDefault();var n={action:"top-comment",comment_id:o(this).data("comment_id"),nonce_data:o(this).data("nonce")};o.post(tfw.ajaxurl,n,function(t){if(t){var n="#comment-"+t;o(n).closest(".o2-post-comments").find(".comment-display-top").remove(),o(n).closest(".o2-post-comments").find(".comment").removeClass("top-comment"),o(n).addClass("top-comment")}})}),o("body").on("click",".o2-comment-top-remove",function(t){t.preventDefault();var n={action:"top-comment-remove",comment_id:o(this).data("comment_id"),nonce_data:o(this).data("nonce")};o.post(tfw.ajaxurl,n,function(t){if(t){var n="#comment-"+t;o(n).closest(".o2-post-comments").find(".comment-display-top").remove(),o(n).removeClass("top-comment")}})}),o("body").on("click",".top-comment-label a",function(t){t.preventDefault();var n="#"+o(this).data("comment_anchor"),e=o(n).offset().top-30;jQuery("html:not(:animated),body:not(:animated)").animate({scrollTop:e},800,function(){window.location.hash=n})})}); 
  • the-final-word/trunk/readme.txt

    r1717976 r1718052  
    44Requires at least: 4.7 
    55Tested up to: 4.8.1 
    6 Stable tag: 1.0 
     6Stable tag: 1.0.1 
    77License: GPLv2 or later 
    88 
     
    4343== Changelog == 
    4444 
     45= 1.0.1 = 
     46* 2017-08-23 
     47* Adding nonce and permissions checks to ajax requests 
     48* Improving code styling 
     49 
    4550= 1.0 = 
    4651* 2017-08-23 
     
    4954== Upgrade Notice == 
    5055 
    51 = 1.0 = 
    52 * 2017-08-23 
    53 * Initial release 
     56= 1.0.1 = 
     57* Adding security with nonce and permission checks 
  • the-final-word/trunk/the-final-word.php

    r1717954 r1718052  
    22/* 
    33 * Plugin Name: The Final Word 
    4  * Version: 1.0 
     4 * Version: 1.0.1 
    55 * Plugin URI: https://github.com/hlashbrooke/The-Final-Word 
    66 * Description: Have the final word in a comment thread by marking a chosen comment as the 'top comment'. 
     
    2727 
    2828    //  Set version number for JS and CSS 
    29     $ver = '1.0'; 
     29    $ver = '1.0.1'; 
    3030 
    3131    // Set minified suffix as necessary 
     
    5252 
    5353    // Only add the actions if the user is logged in 
    54     if( ! is_user_logged_in() ) { 
     54    if ( ! is_user_logged_in() ) { 
    5555        return $actions; 
    5656    } 
     
    5858    // Get the post ID for the current comment 
    5959    $post_id = $comment->comment_post_ID; 
    60     if( ! $post_id ) { 
     60    if ( ! $post_id ) { 
    6161        return $actions; 
    6262    } 
    6363 
    6464    // Only add the actions if the current user can edit the post 
    65     if( ! current_user_can( 'edit_post', $post_id ) ) { 
     65    if ( ! current_user_can( 'edit_post', $post_id ) ) { 
    6666        return $actions; 
    6767    } 
     
    7777 
    7878        // Display top comment add/remove actions depending on context 
    79         if( $top_comment && 'top' == $top_comment ) { 
    80             $actions[] = "<a class='o2-comment-top-remove o2-actions-border-top o2-warning-hover genericon genericon-close' data-comment_id='" . $comment->comment_ID . "'' href='#'>" . esc_html__( 'Top comment', 'the-final-word' ) . "</a>"; 
     79        if ( $top_comment && 'top' == $top_comment ) { 
     80 
     81            // Generate nonce for ajax request 
     82            $nonce = wp_create_nonce( 'remove_top_comment_' . $comment->comment_ID ); 
     83 
     84            // Add action to dropdown 
     85            $actions[] = "<a class='o2-comment-top-remove o2-actions-border-top o2-warning-hover genericon genericon-close' data-comment_id='" . esc_attr( $comment->comment_ID ) . "' data-nonce='" . esc_attr( $nonce ) . "' href='#'>" . esc_html__( 'Top comment', 'the-final-word' ) . "</a>"; 
    8186        } else { 
    82             $actions[] = "<a class='o2-comment-top o2-actions-border-top genericon genericon-checkmark' data-comment_id='" . $comment->comment_ID . "'' href='#'>" . esc_html__( 'Top comment', 'the-final-word' ) . "</a>"; 
     87 
     88            // Generate nonce for ajax request 
     89            $nonce = wp_create_nonce( 'add_top_comment_' . $comment->comment_ID ); 
     90 
     91            // Add action to dropdown 
     92            $actions[] = "<a class='o2-comment-top o2-actions-border-top genericon genericon-checkmark' data-comment_id='" . esc_attr( $comment->comment_ID ) . "' data-nonce='" . esc_attr( $nonce ) . "' href='#'>" . esc_html__( 'Top comment', 'the-final-word' ) . "</a>"; 
    8393        } 
    8494    } 
     
    95105function tfw_mark_top_comment () { 
    96106 
     107    // Set default return value 
     108    $return = 0; 
     109 
    97110    // Check if a comment ID has been passed through the request 
    98     if( ! isset( $_POST['comment_id'] ) || ! $_POST['comment_id'] ) { 
    99         exit; 
    100     } 
    101  
    102     //  Set default return value 
    103     $return = 0; 
     111    if ( empty( $_POST['comment_id'] ) ) { 
     112        wp_die( $return ); 
     113    } 
    104114 
    105115    // Make sure we have a valid integer here 
    106116    $comment_id = intval( $_POST['comment_id'] ); 
    107117 
     118    // Check the nonce before continuing 
     119    check_ajax_referer( 'add_top_comment_' . $comment_id, 'nonce_data', true ); 
     120 
    108121    // If ID is non-zero, then proceed 
    109     if( $comment_id ) { 
     122    if ( $comment_id ) { 
    110123 
    111124        // Get comment object 
     
    115128        $post_id = $comment->comment_post_ID; 
    116129 
     130        // Check if current user has permissions to edit this post 
     131        if ( ! current_user_can( 'edit_post', $post_id ) ) { 
     132            wp_die( $return ); 
     133        } 
     134 
    117135        // Remove existing top comment(s) before adding a new one - posts should only have one top comment 
    118136        $post_comments = get_comments( array( 'fields' => 'ids', 'post_id' => $post_id, 'meta_key' => 'top_comment' ) ); 
    119         if( 0 < count( $post_comments ) ) { 
     137        if ( 0 < count( $post_comments ) ) { 
    120138            foreach( $post_comments as $post_comment ) { 
    121139                delete_comment_meta( $post_comment, 'top_comment' ); 
     
    132150 
    133151    // Echo return value as this is an ajax request 
    134     echo $return; 
    135  
    136     exit; 
     152    wp_die( $return ); 
    137153} 
    138154add_action( 'wp_ajax_top-comment', 'tfw_mark_top_comment' ); 
     
    144160function tfw_remove_top_comment () { 
    145161 
     162    // Set default return value 
     163    $return = 0; 
     164 
    146165    // Check if a comment ID has been passed through the request 
    147     if( ! isset( $_POST['comment_id'] ) || ! $_POST['comment_id'] ) { 
    148         exit; 
    149     } 
    150  
    151     //  Set default return value 
    152     $return = 0; 
     166    if ( ! isset( $_POST['comment_id'] ) || ! $_POST['comment_id'] ) { 
     167        wp_die( $return ); 
     168    } 
    153169 
    154170    // Make sure we have a valid integer here 
    155171    $comment_id = intval( $_POST['comment_id'] ); 
    156172 
     173    // Check the nonce before continuing 
     174    check_ajax_referer( 'remove_top_comment_' . $comment_id, 'nonce_data', true ); 
     175 
    157176    // If ID is non-zero, then proceed 
    158     if( $comment_id ) { 
     177    if ( $comment_id ) { 
    159178 
    160179        // Get comment object 
     
    163182        // Get post ID for comment 
    164183        $post_id = $comment->comment_post_ID; 
     184 
     185        // Check if current user has permissions to edit this post 
     186        if ( ! current_user_can( 'edit_post', $post_id ) ) { 
     187            wp_die( $return ); 
     188        } 
    165189 
    166190        // Delete meta for top comment and post 
     
    173197 
    174198    // Echo return value as this is an ajax request 
    175     echo $return; 
    176  
    177     exit; 
     199    wp_die( $return ); 
    178200} 
    179201add_action( 'wp_ajax_top-comment-remove', 'tfw_remove_top_comment' ); 
     
    194216 
    195217    // Add 'top-comment' class to commment class array 
    196     if( $top_comment && 'top' == $top_comment ) { 
     218    if ( $top_comment && 'top' == $top_comment ) { 
    197219        $classes[] = 'top-comment'; 
    198220    } 
     
    214236 
    215237    // If we have a valid commment ID, then continue 
    216     if( $post_top_comment ) { 
     238    if ( $post_top_comment ) { 
    217239 
    218240        // Get the top comment object 
     
    229251        $top_comment->comment_date_gmt = '1970-01-01 00:00:00'; 
    230252 
    231         // Get the comment fragment for the top comment suing the modified data 
     253        // Get the comment fragment for the top comment using the modified data 
    232254        $comment_fragment = o2_Fragment::get_fragment( $top_comment ); 
    233255 
     
    250272 
    251273    // Check if this is the top comment set to display at the top of the thread 
    252     if( 'display-top' == $comment_id ) { 
     274    if ( 'display-top' == $comment_id ) { 
    253275 
    254276        // Add the 'top-comment' class to the comment container 
Note: See TracChangeset for help on using the changeset viewer.