- WordPress Plugin Development Beginner's Guide
- Vladimir Prelovac
- 239字
- 2021-05-21 20:12:22
Time for action – Add a security nonce
- Open the
wp-live-blogroll.js.php
file and add create a nonce at the beginning of the script:function WPLiveRoll_ScriptsAction() { global $wp_live_blogroll_plugin_url; if (!is_admin()) { // create a nonce $nonce = wp_create_nonce('wp-live-blogroll'); wp_enqueue_script('jquery'); wp_enqueue_script('wp_live_roll_script', $wp_live_blogroll_plugin_url.'/wp-live-blogroll.js', array('jquery')); } }
- Modify the Ajax call to include the generated nonce as an additional parameter:
$.ajax({ type: "GET", url: LiverollSettings.plugin_url + '/wp-live-blogroll-ajax.php', timeout: 3000, data: { link_url: this.href, _ajax_nonce: '<?php echo $nonce; ?>' }, success: function(msg) {
- Modify
wp-live-blogroll-ajax.php
and add this check at the beginning of Ajax handler function:function WPLiveRoll_Handle ajax($link_url) { // check security check_ajax_referer( "wp-live-blogroll" );
With this simple modification, we have made sure that our Ajax handling script is used only when our plugin calls it.
What just happened?
When our script is run the next time, a unique nonce is created using the wp_create_nonce()
function. We use a nonce identifier as a parameter:
$nonce = wp_create_nonce( 'wp-live-blogroll' );
We then pass this nonce as the Ajax_nonce
parameter. WordPress checks this parameter automatically in the check_ajax_referer
function, which also uses the nonce identifier parameter:
check_ajax_referer( "wp-live-blogroll" );
If the check fails, the script will simply exit at that point (internally, die(-1)
happens).
Note
Quick reference
wp_create_nonce(nonce_id)
: It creates a unique nonce using the identifier.
check_ajax_referer(nonce_id)
: It is used to check Ajax nonces; passed as the ajax_nonce
parameter, using the nonce identifier.
To read more about possible security implication and Cross-Site Request Forgery (CSRF), visit http://en.wikipedia.org/wiki/Cross-site_request_forgery.
- JBoss AS 5 Development
- 圖解Word 2007圖文排版與辦公應(yīng)用
- MLOps實戰(zhàn):機器學習模型的開發(fā)、部署與應(yīng)用
- After Effects CC 2019 影視后期特效合成案例教程
- AI繪畫:Stable Diffusion從入門到精通
- 零基礎(chǔ)學數(shù)碼攝影后期
- ASP.NET jQuery Cookbook
- 通達信炒股軟件從入門到精通(第2版)
- Vue.js快速入門
- 新印象:CINEMA 4D電商設(shè)計基礎(chǔ)與實戰(zhàn)(全視頻微課版)
- 攝影師的后期必修課(調(diào)色篇)
- Photoshop & Illustrator平面設(shè)計火星課堂
- 電腦寫作與定制五筆(第2版)
- Photoshop后期強:多重曝光專業(yè)技法寶典
- 中文版3ds Max 2012基礎(chǔ)培訓教程(第2版)