Skip to content

Commit 263831a

Browse files
committed
Press This: Verify intent before fetching in-page resources using Press This.
Props vortfu Built from https://develop.svn.wordpress.org/trunk@40195 git-svn-id: http://core.svn.wordpress.org/trunk@40134 1a063a9b-81f0-0310-95a4-ce76da25c4cd
1 parent 288cd46 commit 263831a

File tree

2 files changed

+9
-4
lines changed

2 files changed

+9
-4
lines changed

Diff for: wp-admin/includes/class-wp-press-this.php

+8-3
Original file line numberDiff line numberDiff line change
@@ -718,7 +718,11 @@ public function merge_or_fetch_data() {
718718
* making PT fully backward compatible with the older bookmarklet.
719719
*/
720720
if ( empty( $_POST ) && ! empty( $data['u'] ) ) {
721-
$data = $this->source_data_fetch_fallback( $data['u'], $data );
721+
if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( $_GET['_wpnonce'], 'scan-site' ) ) {
722+
$data = $this->source_data_fetch_fallback( $data['u'], $data );
723+
} else {
724+
$data['errors'] = 'missing nonce';
725+
}
722726
} else {
723727
foreach ( array( '_images', '_embeds' ) as $type ) {
724728
if ( empty( $_POST[ $type ] ) ) {
@@ -1235,7 +1239,7 @@ public function html() {
12351239
$site_data = array(
12361240
'v' => ! empty( $data['v'] ) ? $data['v'] : '',
12371241
'u' => ! empty( $data['u'] ) ? $data['u'] : '',
1238-
'hasData' => ! empty( $data ),
1242+
'hasData' => ! empty( $data ) && ! isset( $data['errors'] ),
12391243
);
12401244

12411245
if ( ! empty( $images ) ) {
@@ -1367,8 +1371,9 @@ public function html() {
13671371
<div id="scanbar" class="scan">
13681372
<form method="GET">
13691373
<label for="url-scan" class="screen-reader-text"><?php _e( 'Scan site for content' ); ?></label>
1370-
<input type="url" name="u" id="url-scan" class="scan-url" value="" placeholder="<?php esc_attr_e( 'Enter a URL to scan' ) ?>" />
1374+
<input type="url" name="u" id="url-scan" class="scan-url" value="<?php echo esc_attr( $site_data['u'] ) ?>" placeholder="<?php esc_attr_e( 'Enter a URL to scan' ) ?>" />
13711375
<input type="submit" name="url-scan-submit" id="url-scan-submit" class="scan-submit" value="<?php esc_attr_e( 'Scan' ) ?>" />
1376+
<?php wp_nonce_field( 'scan-site' ); ?>
13721377
</form>
13731378
</div>
13741379

Diff for: wp-includes/version.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
*
55
* @global string $wp_version
66
*/
7-
$wp_version = '4.8-alpha-40183';
7+
$wp_version = '4.8-alpha-40195';
88

99
/**
1010
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.

0 commit comments

Comments
 (0)