diff --git a/src/includes/conditionals.php b/src/includes/conditionals.php
index b115c63a..4d71ddcd 100644
--- a/src/includes/conditionals.php
+++ b/src/includes/conditionals.php
@@ -125,6 +125,10 @@ function mc_is_tablet() {
*/
function mc_is_preview() {
if ( isset( $_GET['preview'] ) && 'true' === $_GET['preview'] && current_user_can( 'mc_manage_events' ) ) {
+ $nonce = sanitize_text_field( wp_unslash( $_GET['mcpreviewnonce'] ) );
+ if ( ! wp_verify_nonce( $nonce, 'mcpreviewnonce' ) ) {
+ return false;
+ }
return true;
}
diff --git a/src/my-calendar-event-editor.php b/src/my-calendar-event-editor.php
index f2cedd58..ddb5675a 100644
--- a/src/my-calendar-event-editor.php
+++ b/src/my-calendar-event-editor.php
@@ -1834,7 +1834,12 @@ function mc_form_fields( $data, $mode, $event_id ) {
} else {
$view_url = mc_get_permalink( $first );
if ( ! mc_event_published( $data ) ) {
- $view_url = add_query_arg( 'preview', 'true', mc_get_permalink( $first ) );
+ $nonce = wp_create_nonce( 'mcpreviewnonce' );
+ $args = array(
+ 'preview' => 'true',
+ 'mcpreviewnonce' => $nonce,
+ );
+ $view_url = add_query_arg( $args, mc_get_permalink( $first ) );
}
$tag_preview = add_query_arg(
array(
@@ -3118,7 +3123,12 @@ function mc_controls( $mode, $has_data, $event, $position = 'header' ) {
if ( mc_event_published( $event ) ) {
$controls['view'] = "" . __( 'View', 'my-calendar' ) . '';
} elseif ( current_user_can( 'mc_manage_events' ) ) {
- $controls['view'] = "" . __( 'Preview', 'my-calendar' ) . '';
+ $nonce = wp_create_nonce( 'mcpreviewnonce' );
+ $args = array(
+ 'preview' => 'true',
+ 'mcpreviewnonce' => $nonce,
+ );
+ $controls['view'] = "" . __( 'Preview', 'my-calendar' ) . '';
}
$manage_text = __( 'Events', 'my-calendar' );
$controls['manage'] = "" . '' . $manage_text . '';