Skip to content

Commit

Permalink
Better comment; re-check nonce before handling POST
Browse files Browse the repository at this point in the history
  • Loading branch information
@joedolson
joedolson committed Jan 6, 2025
1 parent 0fa2421 commit 3bed33f
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/my-calendar-settings.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -437,7 +437,12 @@ function mc_update_text_settings( $post ) {
// This is the <title> element, and should not contain HTML.
$options['event_title_template'] = $post['mc_event_title_template'];
foreach ( $post as $key => $value ) {
$nonce = $_REQUEST['_wpnonce'];
if ( ! wp_verify_nonce( $nonce, 'my-calendar-nonce' ) ) {
wp_die( 'My Calendar: Security check failed' );
}
// If POST is set, change the sanitizing for settings in this group.
// The POST array was sanitized before being sent, but that sanitizing strips HTML.
$post[ $key ] = isset( $_POST[ $key ] ) ? wp_kses_post( wp_unslash( $_POST[ $key ] ) ) : $value;
}
$options['heading_text'] = isset( $_POST['mc_heading_text'] ) ? wp_kses_post( wp_unslash( $_POST['mc_heading_text'] ) ) : $post['mc_heading_text'];
Expand Down

0 comments on commit 3bed33f

Please sign in to comment.