From b8788a1a6a260b57b8d17fdf5bf7fd0bc1fdba1d Mon Sep 17 00:00:00 2001 From: "@hunk" Date: Wed, 3 Aug 2016 18:52:45 -0500 Subject: [PATCH] add nonce in all wp ajax calls --- admin/mf_ajax_call.php | 39 +++++----- admin/mf_post.php | 16 +++-- js/mf_admin.js | 138 +++++++++++++++++++++++++----------- js/mf_clean.js | 0 js/mf_field_base.js | 78 ++++++++++++++------ js/mf_posttypes_sortable.js | 18 ++--- js/mf_set_categories.js | 73 ++++++++++--------- main.php | 17 +++++ 8 files changed, 253 insertions(+), 126 deletions(-) create mode 100644 js/mf_clean.js diff --git a/admin/mf_ajax_call.php b/admin/mf_ajax_call.php index d364e75..a507bd7 100644 --- a/admin/mf_ajax_call.php +++ b/admin/mf_ajax_call.php @@ -10,6 +10,14 @@ public function __construct(){ } public function resolve($data){ + + if( !check_ajax_referer( 'mf_nonce_ajax', 'security', false ) ) { + mf_ajax_call::remove_upload_file(); + $resp = array('success' => false, 'msg' => __('Sorry, your nonce did not verify..',$mf_domain) ); + echo json_encode($resp); + die; + } + $type = $data['type']; if(method_exists($this, $type)){ $this->$type($data); @@ -24,10 +32,14 @@ public function mf_sort_field($data){ array_walk( $order, create_function( '&$v,$k', '$v = str_replace("order_","",$v);' )); if( $thing = mf_custom_fields::save_order_field( $data['group_id'], $order ) ) { - print "1"; + $resp = array('success' => true); + echo json_encode($resp); die; } - print "0"; //error! + + $resp = array('success' => false, 'msg' => __('Ups, something went wrong',$mf_domain) ); + echo json_encode($resp); + die; } } @@ -39,9 +51,9 @@ public function check_name_post_type($data){ $check = mf_posttype::check_post_type($type,$id); if($check){ // exist type(name) in the system - $resp = array('success' => 0, 'msg' => __('The Type(name) of Post type exist,Please choose a different type(name).',$mf_domain) ); + $resp = array('success' => false, 'msg' => __('The Type(name) of Post type exist,Please choose a different type(name).',$mf_domain) ); }else{ - $resp = array('success' => 1); + $resp = array('success' => true); } echo json_encode($resp); } @@ -52,11 +64,11 @@ public function check_name_custom_group($data){ $name = $data['group_name']; $post_type = $data['post_type']; $id = $data['group_id']; - $resp = array('success' => 1); + $resp = array('success' => true); $check = mf_custom_group::check_group($name,$post_type,$id); if($check){ - $resp = array('success' => 0, 'msg' => __('The name of Group exist in this post type, Please choose a different name.',$mf_domain) ); + $resp = array('success' => false, 'msg' => __('The name of Group exist in this post type, Please choose a different name.',$mf_domain) ); } echo json_encode($resp); @@ -68,11 +80,11 @@ public function check_name_custom_field($data){ $name = $data['field_name']; $post_type = $data['post_type']; $id = $data['field_id']; - $resp = array('success' => 1); + $resp = array('success' => true); $check = mf_custom_fields::check_group($name,$post_type,$id); if($check){ - $resp = array('success' => 0, 'msg' => __('The name of Field exist in this post type, Please choose a different name.',$mf_domain) ); + $resp = array('success' => false, 'msg' => __('The name of Field exist in this post type, Please choose a different name.',$mf_domain) ); } echo json_encode($resp); } @@ -151,10 +163,8 @@ public function set_default_categories($data){ ); } $wpdb->query($sql); - $resp = array('success' => 1); - + $resp = array('success' => true); //update_post_meta(-2, $post_type, $cats); - echo json_encode($resp); } @@ -172,13 +182,6 @@ public static function remove_upload_file() { public function upload_ajax($data){ global $mf_domain; - if( !check_ajax_referer( 'mf_nonce_ajax', 'security', false ) ) { - mf_ajax_call::remove_upload_file(); - $resp = array('success' => false, 'msg' => __('Sorry, your nonce did not verify..',$mf_domain) ); - echo json_encode($resp); - die; - } - if ( !current_user_can('upload_files') ){ mf_ajax_call::remove_upload_file(); $resp = array('success' => false, 'msg' => __('You do not have sufficient permissions to upload images.',$mf_domain) ); diff --git a/admin/mf_post.php b/admin/mf_post.php index 8eec254..5f58ebc 100644 --- a/admin/mf_post.php +++ b/admin/mf_post.php @@ -403,13 +403,22 @@ function mf_get_post_values( $post_id ) { /* enqueue css and js base for post area*/ public function load_js_css_base(){ - global $mf_domain; - + wp_enqueue_style( 'mf_field_base', MF_BASENAME.'css/mf_field_base.css' ); wp_enqueue_script( 'tmpl', MF_BASENAME.'js/third_party/jquery.tmpl.js'); wp_enqueue_script( 'mf_field_base', MF_BASENAME.'js/mf_field_base.js'); wp_enqueue_script( 'mf_sortable_groups', MF_BASENAME.'js/mf_sortable_groups.js', array( 'jquery-ui-sortable' ) ); + mf_post::load_js_localize(); + + } + + public static function load_js_localize() { + + global $mf_domain; + + wp_enqueue_script( 'mf_clean', MF_BASENAME.'js/mf_clean.js'); + $mceAddString = "mceAddControl"; $mceRemoveString = "mceRemoveControl"; if(is_wp39()){ @@ -427,8 +436,7 @@ public function load_js_css_base(){ 'mf_mceRemoveString' => $mceRemoveString, 'mf_nonce_ajax' => wp_create_nonce( "mf_nonce_ajax" ) ); - wp_localize_script( 'mf_field_base', 'mf_js', $js_vars ); - + wp_localize_script( 'mf_clean', 'mf_js', $js_vars ); } /* enqueue css and js of fields */ diff --git a/js/mf_admin.js b/js/mf_admin.js index 4e1bb18..dd54b07 100644 --- a/js/mf_admin.js +++ b/js/mf_admin.js @@ -1,5 +1,5 @@ jQuery(document).ready(function($) { - //Custom Validataion methods + //Custom Validataion methods jQuery.validator.addMethod( "lowercase", function(value, element) { return this.optional(element) || /^[0-9a-z\_]+$/.test(value); },'Only are accepted lowercase characters,numbers or underscores'); @@ -14,13 +14,21 @@ jQuery(document).ready(function($) { name = $('#posttype-type').val(); id = $('#posttype-id').val(); var status = 0; - - jQuery.ajax({ - url: ajaxurl, - type: 'POST', - async: false, - dataType: 'json', - data: "action=mf_call&type=check_name_post_type&post_type="+name+"&post_type_id="+id, + + var data = { + action : 'mf_call', + type : 'check_name_post_type', + post_type : name, + post_type_id : id, + security : mf_js.mf_nonce_ajax + } + + jQuery.ajax({ + url: ajaxurl, + type: 'POST', + async: false, + dataType: 'json', + data: data, success: function(response){ $("#message_post_type").hide(); if(response.success){ @@ -38,7 +46,7 @@ jQuery(document).ready(function($) { return false; }); - + //validation custom group $('#addCustomGroup').submit(function(){ name = $("#custom_group_name").val(); @@ -46,12 +54,21 @@ jQuery(document).ready(function($) { post_type = $("#custom_group_post_type").val(); var status = 0; if(name){ + + var data = { + action : 'mf_call', + type : 'check_name_custom_group', + group_name : name, + post_type : post_type, + group_id : group_id, + security : mf_js.mf_nonce_ajax + } jQuery.ajax({ url: ajaxurl, type: 'POST', async: false, dataType: 'json', - data: "action=mf_call&type=check_name_custom_group&group_name="+name+"&post_type="+post_type+"&group_id="+group_id, + data: data, success: function(response){ $("#message_mf_error").hide(); if(response.success){ @@ -68,9 +85,9 @@ jQuery(document).ready(function($) { return true; return false; - + }); - + //validation custom field $('#addCustomField').submit(function(){ name = $("#customfield-name").val(); @@ -78,12 +95,21 @@ jQuery(document).ready(function($) { post_type = $("#customfield-post_type").val(); var status = 0; if(name){ + var data = { + action : 'mf_call', + type : 'check_name_custom_field', + field_name : name, + post_type : post_type, + field_id : field_id, + security : mf_js.mf_nonce_ajax + } + jQuery.ajax({ url: ajaxurl, type: 'POST', async: false, dataType: 'json', - data: "action=mf_call&type=check_name_custom_field&field_name="+name+"&post_type="+post_type+"&field_id="+field_id, + data: data, success: function(response){ $("#message_mf_error").hide(); if(response.success){ @@ -98,22 +124,30 @@ jQuery(document).ready(function($) { } if(status) return true; - - return false; + + return false; }); - + //validation custom taxonomy $('#addCustomTaxonomy').submit(function(){ type = $("#custom-taxonomy-type").val(); taxonomy_id = $("#custom-taxonomy-id").val(); var status = 0; if(type){ + var data = { + action : 'mf_call', + type : 'check_type_custom_taxonomy', + taxonomy_type : type, + taxonomy_id : taxonomy_id, + security : mf_js.mf_nonce_ajax + } + jQuery.ajax({ url: ajaxurl, type: 'POST', async: false, dataType: 'json', - data: "action=mf_call&type=check_type_custom_taxonomy&taxonomy_type="+type+"&taxonomy_id="+taxonomy_id, + data: data, success: function(response){ $("#message_mf_error").hide(); if(response.success){ @@ -128,13 +162,13 @@ jQuery(document).ready(function($) { } if(status) return true; - - return false; + + return false; }); - - //Confirm for display a confirm box + + //Confirm for display a confirm box $('.mf_confirm').click(function() { - message = $(this).attr('alt'); + message = $(this).attr('alt'); return confirm_message(message); }); @@ -153,13 +187,23 @@ jQuery(document).ready(function($) { jQuery.post( ajaxurl, { - 'action':'mf_call', - 'type': 'change_custom_field', - 'field_type': type + 'action' :'mf_call', + 'type' : 'change_custom_field', + 'field_type' : type, + security : mf_js.mf_nonce_ajax }, function(response){ - $('#options_field_legend').hide(); - $("#options_field").empty().append(response); + + try { + var response = JSON.parse(response); + if (!response.success) { + alert(response.msg); + } + } catch(e) { + // this isn's an error + $('#options_field_legend').hide(); + $("#options_field").empty().append(response); + } } ); }else{ @@ -176,7 +220,7 @@ function suggestCustomFieldName(){ if (jQuery('#customfield-label').length > 0 && jQuery('#customfield-name').length > 0 && jQuery("#customfield-name").val() == '') { jQuery('#customfield-label').stringToSlug({ space:'_', - getPut:'#customfield-name', + getPut:'#customfield-name', prefix:jQuery('#name_group_slug').val() + " ", replace:/\s?\([^\)]*\)/gi }); @@ -193,7 +237,7 @@ confirm_message = function(message) { } function load_link_in_media_upload(){ - + jQuery('a.del-link').each(function(){ id = jQuery(this).next().attr('id'); check_repet = jQuery(this).prev().attr('class'); @@ -203,7 +247,7 @@ function load_link_in_media_upload(){ if(check == "" || check == undefined ){}else{ set = parent.window.mf_js.mf_image_media_set; jQuery(this).before(''+set+''); - jQuery(this).parent().find("input:submit").remove(); + jQuery(this).parent().find("input:submit").remove(); } } }); @@ -213,15 +257,23 @@ function mf_set_image_field(id){ id_element = parent.window.mf_field_id; + var data = { + action : 'mf_call', + type : 'get_thumb', + image_id : id, + field_id : id_element, + security : mf_js.mf_nonce_ajax + } + jQuery.ajax({ url: ajaxurl, type: 'POST', dataType: 'json', - data: "action=mf_call&type=get_thumb&image_id="+id+"&field_id="+id_element, + data: data, success: function(response){ - - if (response.error == true) { - show_error_image_field(response.field_id,response.msg); + console.log(response); + if (response.success == false) { + show_error_image_field(id_element,response.msg); return; } @@ -243,33 +295,33 @@ jQuery(document).ready(function($){ if (check){ set = parent.window.mf_js.mf_image_media_set; $(this).before(''+set+''); - $(this).parent().find("input:submit").remove(); + $(this).parent().find("input:submit").remove(); } }); $(document).on('click', '.update_field_media_upload',function(){ window.mf_field_id = jQuery(this).attr('id'); }); - + $('#set-post-thumbnail , #add_image').click( function(){ window.mf_field_id = ''; }); - + $(document).on('click',".mce_add_image , .mce_add_video , .mce_add_audio , .mce_add_media",function(){ window.mf_field_id = ''; var a = this; - + // When a mce button is clicked, we have to hotswap the activeEditor instance, else the image will be inserted into the wrong tinyMCE box (current editor) setTimeout( function() { tinyMCE.activeEditor = tinyMCE.EditorManager.getInstanceById( a.id.replace('_add_media', '') ); wpActiveEditor = a.id.replace('_add_media', ''); }, 500 ); - + }); - //focus for visual editor wp 3.8 + //focus for visual editor wp 3.8 $(document).on('click',".mf_media_button_div > .add_media",function(){ var idElem = $(this).parent('div.mf_media_button_div').attr('id'); idElem = idElem.replace(/wp-/, ""); @@ -279,9 +331,9 @@ jQuery(document).ready(function($){ }); function mf_use_new_image_gallery(){ - - if (typeof wp === 'undefined' || typeof wp.media === 'undefined') return; - + + if (typeof wp === 'undefined' || typeof wp.media === 'undefined') return; + var _custom_media = true; _orig_send_attachment = wp.media.editor.send.attachment; diff --git a/js/mf_clean.js b/js/mf_clean.js new file mode 100644 index 0000000..e69de29 diff --git a/js/mf_field_base.js b/js/mf_field_base.js index 469d274..ad9dc25 100644 --- a/js/mf_field_base.js +++ b/js/mf_field_base.js @@ -118,18 +118,37 @@ jQuery(document).ready(function($) { counter_id = '#mf_counter_'+group_id+'_'+group_index+'_'+field_id; field_index = parseInt($(counter_id).val()) + 1; + var data = { + action : 'mf_call', + type : 'field_duplicate', + group_id : group_id, + group_index : group_index, + field_id : field_id, + field_index : field_index, + security : mf_js.mf_nonce_ajax + } + jQuery.ajax({ url: ajaxurl, type: 'POST', - data: "action=mf_call&type=field_duplicate&group_id="+group_id+"&group_index="+group_index+"&field_id="+field_id+"&field_index="+field_index, + data: data, success: function(response){ - var newel = jQuery(response); - $(counter_id).before(newel); - newel.find('.mf_message_error .error_magicfields').hide(); - $(counter_id).val(field_index); - fixcounter('#mf_group_field_'+group_id+'_'+group_index+'_'+field_id); - $.mf_bind('duplicate'); - mf_use_new_image_gallery(); + + try { + var response = JSON.parse(response); + if (!response.success) { + alert(response.msg); + } + } catch(e) { + // this isn's an error + var newel = jQuery(response); + $(counter_id).before(newel); + newel.find('.mf_message_error .error_magicfields').hide(); + $(counter_id).val(field_index); + fixcounter('#mf_group_field_'+group_id+'_'+group_index+'_'+field_id); + $.mf_bind('duplicate'); + mf_use_new_image_gallery(); + } } }); }); @@ -144,18 +163,35 @@ jQuery(document).ready(function($) { counter_group_id = '#mf_group_counter_'+group_id; group_index = parseInt($(counter_group_id).val()) + 1; + var data = { + action : 'mf_call', + type : 'group_duplicate', + group_id : group_id, + group_index : group_index, + security : mf_js.mf_nonce_ajax + } + jQuery.ajax({ url: ajaxurl, type: 'POST', - data: "action=mf_call&type=group_duplicate&group_id="+group_id+"&group_index="+group_index, + data: data, success: function(response){ - var newel = jQuery(response); - $(counter_group_id).before(newel); - newel.find('.mf_message_error .error_magicfields').hide(); - $(counter_group_id).val(group_index); - fixCounterGroup('#mf_group-'+group_id); - $.mf_bind('duplicate'); - mf_use_new_image_gallery(); + + try { + var response = JSON.parse(response); + if (!response.success) { + alert(response.msg); + } + } catch(e) { + // this isn's an error + var newel = jQuery(response); + $(counter_group_id).before(newel); + newel.find('.mf_message_error .error_magicfields').hide(); + $(counter_group_id).val(group_index); + fixCounterGroup('#mf_group-'+group_id); + $.mf_bind('duplicate'); + mf_use_new_image_gallery(); + } } }); }); @@ -163,17 +199,17 @@ jQuery(document).ready(function($) { //add validation for fields $('.mf_message_error .error_magicfields').hide(); $.metadata.setType("attr", "validate"); - + //Validating the post $("#post").validate({ errorClass: "error_magicfields", - invalidHandler: function(form, validator) { + invalidHandler: function(form, validator) { var errors = validator.numberOfInvalids(); if (errors) { $('#mf-publish-errors').remove(); $('#publishing-action #ajax-loading').hide(); $('#publishing-action #publish').removeClass("button-primary-disabled"); - $('#major-publishing-actions').append( $('
'+mf_js.mf_validation_error_msg+'
') ); + $('#major-publishing-actions').append( $('
'+mf_js.mf_validation_error_msg+'
') ); } }, submitHandler: function(form) { @@ -182,12 +218,12 @@ jQuery(document).ready(function($) { form.submit(); } }); - + var mf_groups = $('.mf_group'); $(document).on("keydown", mf_groups.find("input[type=text],textarea"),fieldchange); $(document).on("click", mf_groups.find("input[type=checkbox],input[type=radio]"),fieldchange); $(document).on("change",mf_groups.find("select"), fieldchange); - + //callback before save $(document).on('click',"#publish",function(){ $.mf_bind('callback_before_save'); }); diff --git a/js/mf_posttypes_sortable.js b/js/mf_posttypes_sortable.js index 7490d9c..e8dfb52 100644 --- a/js/mf_posttypes_sortable.js +++ b/js/mf_posttypes_sortable.js @@ -19,7 +19,7 @@ jQuery( document ).ready( function( $ ) { //getting the group id exp = /group\-([0-9]+)/g; group_id = exp.exec($(this).attr('rel'))[1]; - + save_fields_order(group_id); } }); @@ -30,20 +30,22 @@ jQuery( document ).ready( function( $ ) { order : $('#mf_order_fields').val(), action : 'mf_call', type : 'mf_sort_field', - group_id : group_id + group_id : group_id, + security : mf_js.mf_nonce_ajax } $.ajax({ type: 'POST', url: ajaxurl, data: data, - success: function (msg) { - $('#mf-ajax-loading-'+group_id).hide(); - - if ( msg == "1" ) { - }else{ - alert('somethings wrong!, try again please'); + dataType: 'json', + success: function (response) { + if(response.success){ + $('#mf-ajax-loading-'+group_id).hide(); + } else { + alert(response.msg); } + }, beforeSend: function () { $('#mf-ajax-loading-'+group_id).show(); diff --git a/js/mf_set_categories.js b/js/mf_set_categories.js index 823c21b..974b7e5 100644 --- a/js/mf_set_categories.js +++ b/js/mf_set_categories.js @@ -1,42 +1,51 @@ jQuery(document).ready(function($) { $('#adminmenuback,#adminmenuwrap,#wpadminbar,#footer').css( 'display', 'none' ); - + $('#send_set_categories').click(function() { - + $('#resp').css('display','none'); default_cat = ''; - $('.dos').each(function(){ + $('.dos').each(function(){ - if($(this).is(':checked')){ - if (default_cat.length == 0) { - default_cat = $(this).val(); - }else{ - default_cat += '|||' + $(this).val(); - } - + if($(this).is(':checked')){ + if (default_cat.length == 0) { + default_cat = $(this).val(); + }else{ + default_cat += '|||' + $(this).val(); } - - }); + } + }); - name = $('#post_type_name').val(); - jQuery.ajax({ - url: ajaxurl, - type: 'POST', - async: true, - dataType: 'json', - data: "action=mf_call&type=set_default_categories&cats="+default_cat+"&post_type="+name, - beforeSend: function($co){ - - }, - success: function(response){ - $("#message_mf_error").hide(); - if(response.success){ - status = 1; + name = $('#post_type_name').val(); + var data = { + action : 'mf_call', + type : 'set_default_categories', + cats : default_cat, + post_type : name, + security : mf_js.mf_nonce_ajax + } + + jQuery.ajax({ + url: ajaxurl, + type: 'POST', + async: true, + dataType: 'json', + data: data, + beforeSend: function($co){ + + }, + success: function(response){ + $("#message_mf_error").hide(); + if(response.success){ + status = 1; $('#resp').css('display','block'); - }else{ - - } - } - }); + }else{ + alert(response.msg); + } + }, + error: function () { + + } }); -}); \ No newline at end of file + }); +}); diff --git a/main.php b/main.php index 38145b1..e885a0d 100644 --- a/main.php +++ b/main.php @@ -293,6 +293,23 @@ function mf_add_js() { $css_js->set_categories(); } + + $actions = array( + 'fields_list', + 'add_post_type', + 'edit_post_type', + 'add_group', + 'edit_group', + 'add_field', + 'edit_field', + 'add_custom_taxonomy', + 'edit_custom_taxonomy', + 'set_categories' + ); + if ( isset($_GET['page']) && $_GET['page'] == 'mf_dispatcher' && isset($_GET['mf_action']) && in_array($_GET['mf_action'],$actions) ) { + mf_post::load_js_localize(); + } + } } }