Changeset 2707108

Timestamp:

04/08/2022 03:47:58 PM (4 years ago)

Author:

mmuro

Message:

Update Entries table with CSRF protection

Location:

visual-form-builder/trunk/admin

Files:

• class-admin-menu.php (modified) (1 diff)
• class-entries-detail.php (modified) (2 diffs)
• class-entries-list.php (modified) (5 diffs)
• class-forms-edit.php (modified) (1 diff)
• class-forms-list.php (modified) (1 diff)

visual-form-builder/trunk/admin/class-admin-menu.php

@@ -265 +265 @@
         <form id="entries-filter" method="post" action="">
         <?php
-            $entries_list->search_box( 'search', 'search_id' );
-            $entries_list->display();
+            $entries_list->search_box( 'search', 'search_id' );
+            $entries_list->display();
         ?>
         </form>

visual-form-builder/trunk/admin/class-entries-detail.php

@@ -15 +15 @@
     public function entries_detail() {
         global $wpdb;
+
+        check_admin_referer( 'vfb_view_entry' );
 
         $entry_id = absint( $_GET['entry'] );
@@ -66 +68 @@
                                 <div id="major-publishing-actions">
                                     <div id="delete-action">
-                                        <?php echo sprintf( '<a class="submitdelete deletion entry-delete" href="%2$s&action=%3$s&entry=%4$d">%1$s</a>', __( 'Move to Trash', 'visual-form-builder' ), admin_url( 'admin.php?page=vfb-entries' ), 'trash', $entry_id ); ?>
+                                        <?php echo sprintf( '<a class="submitdelete deletion entry-delete" href="%2$s&action=%3$s&entry=%4$d">%1$s</a>', __( 'Move to Trash', 'visual-form-builder' ), wp_nonce_url( admin_url( 'admin.php?page=vfb-entries' ), 'vfb_trash_entry' ), 'trash', $entry_id ); ?>
                                     </div>
                                     <div id="publishing-action">

visual-form-builder/trunk/admin/class-entries-list.php

@@ -54 +54 @@
         // Build row actions
         if ( !$this->get_entry_status() || 'all' == $this->get_entry_status() )
-            $actions['view'] = sprintf( '<a href="%s&action=%s&entry=%s" id="%3$s" class="view-entry">View</a>', admin_url( 'admin.php?page=vfb-entries' ), 'view', $item['entry_id'] );
+            $actions['view'] = sprintf( '<a href="%s&action=%s&entry=%s" id="%3$s" class="view-entry">View</a>', wp_nonce_url( admin_url( 'admin.php?page=vfb-entries' ), 'vfb_view_entry' ), 'view', $item['entry_id'] );
 
         if ( !$this->get_entry_status() || 'all' == $this->get_entry_status() )
-            $actions['trash'] = sprintf( '<a href="%s&action=%s&entry=%s">Trash</a>', admin_url( 'admin.php?page=vfb-entries' ), 'trash', $item['entry_id'] );
+            $actions['trash'] = sprintf( '<a href="%s&action=%s&entry=%s">Trash</a>', wp_nonce_url( admin_url( 'admin.php?page=vfb-entries' ), 'vfb_trash_entry' ), 'trash', $item['entry_id'] );
         elseif ( $this->get_entry_status() && 'trash' == $this->get_entry_status() ) {
-            $actions['restore'] = sprintf( '<a href="%s&action=%s&entry=%s">%s</a>', admin_url( 'admin.php?page=vfb-entries' ), 'restore', $item['entry_id'], __( 'Restore', 'visual-form-builder' ) );
-            $actions['delete'] = sprintf( '<a href="%s&action=%s&entry=%s">%s</a>', admin_url( 'admin.php?page=vfb-entries' ), 'delete', $item['entry_id'], __( 'Delete Permanently', 'visual-form-builder' ) );
+            $actions['restore'] = sprintf( '<a href="%s&action=%s&entry=%s">%s</a>', wp_nonce_url( admin_url( 'admin.php?page=vfb-entries' ), 'vfb_undo_trash_entry' ), 'restore', $item['entry_id'], __( 'Restore', 'visual-form-builder' ) );
+            $actions['delete'] = sprintf( '<a href="%s&action=%s&entry=%s">%s</a>', wp_nonce_url( admin_url( 'admin.php?page=vfb-entries' ), 'vfb_delete_entry' ), 'delete', $item['entry_id'], __( 'Delete Permanently', 'visual-form-builder' ) );
         }
 
@@ -307 +307 @@
         switch( $this->current_action() ) :
             case 'trash' :
+                check_admin_referer( 'vfb_trash_entry' );
+
                 foreach ( $entry_id as $id ) {
                     $id = absint( $id );
@@ -314 +316 @@
 
             case 'delete' :
+                check_admin_referer( 'vfb_delete_entry' );
+
                 foreach ( $entry_id as $id ) {
                     $id = absint( $id );
@@ -321 +325 @@
 
             case 'restore' :
+                check_admin_referer( 'vfb_undo_trash_entry' );
+
                 foreach ( $entry_id as $id ) {
                     $id = absint( $id );
@@ -328 +334 @@
 
             case 'delete' :
+                check_admin_referer( 'vfb_delete_entry' );
+
                 $entry_id = ( isset( $_GET['entry'] ) && is_array( $_GET['entry'] ) ) ? $_GET['entry'] : array( $_GET['entry'] );
 

visual-form-builder/trunk/admin/class-forms-edit.php

@@ -13 +13 @@
     public function display() {
         global $wpdb;
+
+        check_admin_referer( 'vfb_edit_form' );
 
         $current_user = wp_get_current_user();

visual-form-builder/trunk/admin/class-forms-list.php

@@ -52 +52 @@
 
         // Edit Form
-        $form_title = sprintf( '<strong><a href="%s&action=%s&form=%s" id="%3$s" class="view-form">%s</a></strong>', admin_url( 'admin.php?page=visual-form-builder' ), 'edit', $item['form_id'], $item['form_title'] );
-        $actions['edit'] = sprintf( '<a href="%s&action=%s&form=%s" id="%3$s" class="view-form">%s</a>', admin_url( 'admin.php?page=visual-form-builder' ), 'edit', $item['form_id'], __( 'Edit', 'visual-form-builder' ) );
+        $edit_link = wp_nonce_url( admin_url( 'admin.php?page=visual-form-builder' ), 'vfb_edit_form' );
+        $form_title = sprintf( '<strong><a href="%s&action=%s&form=%s" id="%3$s" class="view-form">%s</a></strong>', $edit_link, 'edit', $item['form_id'], $item['form_title'] );
+        $actions['edit'] = sprintf( '<a href="%s&action=%s&form=%s" id="%3$s" class="view-form">%s</a>', $edit_link, 'edit', $item['form_id'], __( 'Edit', 'visual-form-builder' ) );
 
         // Duplicate Form