Add nonces to default theme.

git-svn-id: http://svn.automattic.com/wordpress/branches/2.0@5407 1a063a9b-81f0-0310-95a4-ce76da25c4cd
justintadlock · May 7, 2007 · a13170d · a13170d
1 parent 74b548e
commit a13170d
Showing 1 changed file with 44 additions and 32 deletions.
diff --git a/wp-content/themes/default/functions.php b/wp-content/themes/default/functions.php
@@ -21,19 +21,19 @@ function kubrick_head() {
 add_action('wp_head', 'kubrick_head');
 
 function kubrick_header_image() {
-	return apply_filters('kubrick_header_image', get_settings('kubrick_header_image'));
+	return apply_filters('kubrick_header_image', get_option('kubrick_header_image'));
 }
 
 function kubrick_upper_color() {
-	if ( strstr( $url = kubrick_header_image_url(), 'header-img.php?' ) ) {
+	if (strpos($url = kubrick_header_image_url(), 'header-img.php?') !== false) {
 		parse_str(substr($url, strpos($url, '?') + 1), $q);
 		return $q['upper'];
 	} else
 		return '69aee7';
 }
 
 function kubrick_lower_color() {
-	if ( strstr( $url = kubrick_header_image_url(), 'header-img.php?' ) ) {
+	if (strpos($url = kubrick_header_image_url(), 'header-img.php?') !== false) {
 		parse_str(substr($url, strpos($url, '?') + 1), $q);
 		return $q['lower'];
 	} else
@@ -50,7 +50,7 @@ function kubrick_header_image_url() {
 }
 
 function kubrick_header_color() {
-	return apply_filters('kubrick_header_color', get_settings('kubrick_header_color'));
+	return apply_filters('kubrick_header_color', get_option('kubrick_header_color'));
 }
 
 function kubrick_header_color_string() {
@@ -62,7 +62,7 @@ function kubrick_header_color_string() {
 }
 
 function kubrick_header_display() {
-	return apply_filters('kubrick_header_display', get_settings('kubrick_header_display'));
+	return apply_filters('kubrick_header_display', get_option('kubrick_header_display'));
 }
 
 function kubrick_header_display_string() {
@@ -75,6 +75,7 @@ function kubrick_header_display_string() {
 function kubrick_add_theme_page() {
 	if ( $_GET['page'] == basename(__FILE__) ) {
 		if ( 'save' == $_REQUEST['action'] ) {
+			check_admin_referer('kubrick-header');
 			if ( isset($_REQUEST['njform']) ) {
 				if ( isset($_REQUEST['defaults']) ) {
 					delete_option('kubrick_header_image');
@@ -83,17 +84,18 @@ function kubrick_add_theme_page() {
 				} else {
 					if ( '' == $_REQUEST['njfontcolor'] )
 						delete_option('kubrick_header_color');
-					else
-						update_option('kubrick_header_color', $_REQUEST['njfontcolor']);
-
+					else {
+						$fontcolor = preg_replace('/^.*(#[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['njfontcolor']);
+						update_option('kubrick_header_color', $fontcolor);
+					}
 					if ( preg_match('/[0-9A-F]{6}|[0-9A-F]{3}/i', $_REQUEST['njuppercolor'], $uc) && preg_match('/[0-9A-F]{6}|[0-9A-F]{3}/i', $_REQUEST['njlowercolor'], $lc) ) {
 						$uc = ( strlen($uc[0]) == 3 ) ? $uc[0]{0}.$uc[0]{0}.$uc[0]{1}.$uc[0]{1}.$uc[0]{2}.$uc[0]{2} : $uc[0];
 						$lc = ( strlen($lc[0]) == 3 ) ? $lc[0]{0}.$lc[0]{0}.$lc[0]{1}.$lc[0]{1}.$lc[0]{2}.$lc[0]{2} : $lc[0];
 						update_option('kubrick_header_image', "header-img.php?upper=$uc&amp;lower=$lc");
 					}
 
 					if ( isset($_REQUEST['toggledisplay']) ) {
-						if ( false === get_settings('kubrick_header_display') )
+						if ( false === get_option('kubrick_header_display') )
 							update_option('kubrick_header_display', 'none');
 						else
 							delete_option('kubrick_header_display');
@@ -102,20 +104,27 @@ function kubrick_add_theme_page() {
 			} else {
 
 				if ( isset($_REQUEST['headerimage']) ) {
+					check_admin_referer('kubrick-header');
 					if ( '' == $_REQUEST['headerimage'] )
 						delete_option('kubrick_header_image');
-					else
-						update_option('kubrick_header_image', $_REQUEST['headerimage']);
+					else {
+						$headerimage = preg_replace('/^.*?(header-img.php\?upper=[0-9a-fA-F]{6}&lower=[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['headerimage']);
+						update_option('kubrick_header_image', $headerimage);
+					}
 				}
 
 				if ( isset($_REQUEST['fontcolor']) ) {
+					check_admin_referer('kubrick-header');
 					if ( '' == $_REQUEST['fontcolor'] )
 						delete_option('kubrick_header_color');
-					else
-						update_option('kubrick_header_color', $_REQUEST['fontcolor']);
+					else {
+						$fontcolor = preg_replace('/^.*?(#[0-9a-fA-F]{6})?.*$/', '$1', $_REQUEST['fontcolor']);
+						update_option('kubrick_header_color', $fontcolor);
+					}
 				}
 
 				if ( isset($_REQUEST['fontdisplay']) ) {
+					check_admin_referer('kubrick-header');
 					if ( '' == $_REQUEST['fontdisplay'] || 'inline' == $_REQUEST['fontdisplay'] )
 						delete_option('kubrick_header_display');
 					else
@@ -226,13 +235,13 @@ function kDefaults() {
 		document.getElementById('headerimg').style.display = document.getElementById('fontdisplay').value;
 	}
 	function kRevert() {
-		document.getElementById('headerimage').value = '<?php echo kubrick_header_image(); ?>';
-		document.getElementById('advuppercolor').value = document.getElementById('uppercolor').value = '#<?php echo kubrick_upper_color(); ?>';
-		document.getElementById('advlowercolor').value = document.getElementById('lowercolor').value = '#<?php echo kubrick_lower_color(); ?>';
-		document.getElementById('header').style.background = 'url("<?php echo kubrick_header_image_url(); ?>") center no-repeat';
+		document.getElementById('headerimage').value = '<?php echo js_escape(kubrick_header_image()); ?>';
+		document.getElementById('advuppercolor').value = document.getElementById('uppercolor').value = '#<?php echo js_escape(kubrick_upper_color()); ?>';
+		document.getElementById('advlowercolor').value = document.getElementById('lowercolor').value = '#<?php echo js_escape(kubrick_lower_color()); ?>';
+		document.getElementById('header').style.background = 'url("<?php echo js_escape(kubrick_header_image_url()); ?>") center no-repeat';
 		document.getElementById('header').style.color = '';
-		document.getElementById('advfontcolor').value = document.getElementById('fontcolor').value = '<?php echo kubrick_header_color_string(); ?>';
-		document.getElementById('fontdisplay').value = '<?php echo kubrick_header_display_string(); ?>';
+		document.getElementById('advfontcolor').value = document.getElementById('fontcolor').value = '<?php echo js_escape(kubrick_header_color_string()); ?>';
+		document.getElementById('fontdisplay').value = '<?php echo js_escape(kubrick_header_display_string()); ?>';
 		document.getElementById('headerimg').style.display = document.getElementById('fontdisplay').value;
 	}
 	function kInit() {
@@ -354,11 +363,12 @@ function kubrick_theme_page() {
 		<br />
 		<div id="nonJsForm">
 			<form method="post" action="">
+				<?php wp_nonce_field('kubrick-header'); ?>
 				<div class="zerosize"><input type="submit" name="defaultsubmit" value="Save" /></div>
-				<label for="njfontcolor">Font Color:</label><input type="text" name="njfontcolor" id="njfontcolor" value="<?php echo kubrick_header_color(); ?>" /> Any CSS color (<code>red</code> or <code>#FF0000</code> or <code>rgb(255, 0, 0)</code>)<br />
-				<label for="njuppercolor">Upper Color:</label><input type="text" name="njuppercolor" id="njuppercolor" value="#<?php echo kubrick_upper_color(); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
-				<label for="njlowercolor">Lower Color:</label><input type="text" name="njlowercolor" id="njlowercolor" value="#<?php echo kubrick_lower_color(); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
-				<input type="hidden" name="hi" id="hi" value="<?php echo kubrick_header_image(); ?>" />
+				<label for="njfontcolor">Font Color:</label><input type="text" name="njfontcolor" id="njfontcolor" value="<?php echo attribute_escape(kubrick_header_color()); ?>" /> Any CSS color (<code>red</code> or <code>#FF0000</code> or <code>rgb(255, 0, 0)</code>)<br />
+				<label for="njuppercolor">Upper Color:</label><input type="text" name="njuppercolor" id="njuppercolor" value="#<?php echo attribute_escape(kubrick_upper_color()); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
+				<label for="njlowercolor">Lower Color:</label><input type="text" name="njlowercolor" id="njlowercolor" value="#<?php echo attribute_escape(kubrick_lower_color()); ?>" /> HEX only (<code>#FF0000</code> or <code>#F00</code>)<br />
+				<input type="hidden" name="hi" id="hi" value="<?php echo attribute_escape(kubrick_header_image()); ?>" />
 				<input type="submit" name="toggledisplay" id="toggledisplay" value="Toggle Text" />
 				<input type="submit" name="defaults" value="Use Defaults" />
 				<input type="submit" class="defbutton" name="submitform" value="&nbsp;&nbsp;Save&nbsp;&nbsp;" />
@@ -368,25 +378,27 @@ function kubrick_theme_page() {
 		</div>
 		<div id="jsForm">
 			<form style="display:inline;" method="post" name="hicolor" id="hicolor" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
+				<?php wp_nonce_field('kubrick-header'); ?>
 				<input type="button" onclick="tgt=document.getElementById('fontcolor');colorSelect(tgt,'pick1');return false;" name="pick1" id="pick1" value="Font Color"></input>
 				<input type="button" onclick="tgt=document.getElementById('uppercolor');colorSelect(tgt,'pick2');return false;" name="pick2" id="pick2" value="Upper Color"></input>
 				<input type="button" onclick="tgt=document.getElementById('lowercolor');colorSelect(tgt,'pick3');return false;" name="pick3" id="pick3" value="Lower Color"></input>
 				<input type="button" name="revert" value="Revert" onclick="kRevert()" />
 				<input type="button" value="Advanced" onclick="toggleAdvanced()" />
-				<input type="submit" name="submitform" class="defbutton" value="Save" onclick="cp.hidePopup('prettyplease')" />
 				<input type="hidden" name="action" value="save" />
-				<input type="hidden" name="fontdisplay" id="fontdisplay" value="<?php echo kubrick_header_display(); ?>" />
-				<input type="hidden" name="fontcolor" id="fontcolor" value="<?php echo kubrick_header_color(); ?>" />
-				<input type="hidden" name="uppercolor" id="uppercolor" value="<?php echo kubrick_upper_color(); ?>" />
-				<input type="hidden" name="lowercolor" id="lowercolor" value="<?php echo kubrick_lower_color(); ?>" />
-				<input type="hidden" name="headerimage" id="headerimage" value="<?php echo kubrick_header_image(); ?>" />
+				<input type="hidden" name="fontdisplay" id="fontdisplay" value="<?php echo attribute_escape(kubrick_header_display()); ?>" />
+				<input type="hidden" name="fontcolor" id="fontcolor" value="<?php echo attribute_escape(kubrick_header_color()); ?>" />
+				<input type="hidden" name="uppercolor" id="uppercolor" value="<?php echo attribute_escape(kubrick_upper_color()); ?>" />
+				<input type="hidden" name="lowercolor" id="lowercolor" value="<?php echo attribute_escape(kubrick_lower_color()); ?>" />
+				<input type="hidden" name="headerimage" id="headerimage" value="<?php echo attribute_escape(kubrick_header_image()); ?>" />
+				<p class="submit"><input type="submit" name="submitform" class="defbutton" value="<?php _e('Update Header &raquo;'); ?>" onclick="cp.hidePopup('prettyplease')" /></p>
 			</form>
 			<div id="colorPickerDiv" style="z-index: 100;background:#eee;border:1px solid #ccc;position:absolute;visibility:hidden;"> </div>
 			<div id="advanced">
 				<form id="jsAdvanced" style="display:none;" action="">
-					<label for="advfontcolor">Font Color (CSS): </label><input type="text" id="advfontcolor" onchange="advUpdate(this.value, 'fontcolor')" value="<?php echo kubrick_header_color(); ?>" /><br />
-					<label for="advuppercolor">Upper Color (HEX): </label><input type="text" id="advuppercolor" onchange="advUpdate(this.value, 'uppercolor')" value="#<?php echo kubrick_upper_color(); ?>" /><br />
-					<label for="advlowercolor">Lower Color (HEX): </label><input type="text" id="advlowercolor" onchange="advUpdate(this.value, 'lowercolor')" value="#<?php echo kubrick_lower_color(); ?>" /><br />
+					<?php wp_nonce_field('kubrick-header'); ?>
+					<label for="advfontcolor">Font Color (CSS): </label><input type="text" id="advfontcolor" onchange="advUpdate(this.value, 'fontcolor')" value="<?php echo attribute_escape(kubrick_header_color()); ?>" /><br />
+					<label for="advuppercolor">Upper Color (HEX): </label><input type="text" id="advuppercolor" onchange="advUpdate(this.value, 'uppercolor')" value="#<?php echo attribute_escape(kubrick_upper_color()); ?>" /><br />
+					<label for="advlowercolor">Lower Color (HEX): </label><input type="text" id="advlowercolor" onchange="advUpdate(this.value, 'lowercolor')" value="#<?php echo attribute_escape(kubrick_lower_color()); ?>" /><br />
 					<input type="button" name="default" value="Select Default Colors" onclick="kDefaults()" /><br />
 					<input type="button" onclick="toggleDisplay();return false;" name="pick" id="pick" value="Toggle Text Display"></input><br />
 				</form>