官术网_书友最值得收藏!

Time for action – Add a security nonce

  1. Open the wp-live-blogroll.js.php file and add create a nonce at the beginning of the script:
      function WPLiveRoll_ScriptsAction() 
            {
              global $wp_live_blogroll_plugin_url;
              if (!is_admin())
              {
                // create a nonce
                $nonce = wp_create_nonce('wp-live-blogroll');
    
                wp_enqueue_script('jquery');
                wp_enqueue_script('wp_live_roll_script', 
                $wp_live_blogroll_plugin_url.'/wp-live-blogroll.js', 
                array('jquery'));
            
              }
            }
  2. Modify the Ajax call to include the generated nonce as an additional parameter:
       $.ajax({
          type: "GET",
          url: LiverollSettings.plugin_url + '/wp-live-blogroll-ajax.php',
          timeout: 3000,                    
          data: {
             link_url: this.href,
     _ajax_nonce: '<?php echo $nonce; ?>'
           },       
           success: function(msg) {
  3. Modify wp-live-blogroll-ajax.php and add this check at the beginning of Ajax handler function:
           function WPLiveRoll_Handle ajax($link_url)
            {
                // check security
                check_ajax_referer( "wp-live-blogroll" );

With this simple modification, we have made sure that our Ajax handling script is used only when our plugin calls it.

What just happened?

When our script is run the next time, a unique nonce is created using the wp_create_nonce() function. We use a nonce identifier as a parameter:

    $nonce = wp_create_nonce( 'wp-live-blogroll' );

We then pass this nonce as the Ajax_nonce parameter. WordPress checks this parameter automatically in the check_ajax_referer function, which also uses the nonce identifier parameter:

        check_ajax_referer( "wp-live-blogroll" );

If the check fails, the script will simply exit at that point (internally, die(-1) happens).

Note

Quick reference

wp_create_nonce(nonce_id): It creates a unique nonce using the identifier.

check_ajax_referer(nonce_id): It is used to check Ajax nonces; passed as the ajax_nonce parameter, using the nonce identifier.

To read more about possible security implication and Cross-Site Request Forgery (CSRF), visit http://en.wikipedia.org/wiki/Cross-site_request_forgery.

主站蜘蛛池模板: 辰溪县| 鲁甸县| 平山县| 登封市| 凌源市| 宁远县| 承德市| 泸定县| 砀山县| 广东省| 台东县| 宝清县| 内黄县| 镇宁| 贵溪市| 岳普湖县| 卢龙县| 名山县| 庆城县| 凤城市| 麦盖提县| 泸西县| 平阳县| 新野县| 谷城县| 清原| 奈曼旗| 包头市| 无锡市| 台山市| 淮北市| 延津县| 葵青区| 都昌县| 梁河县| 五峰| 博野县| 靖江市| 托克托县| 富锦市| 南阳市|