- WordPress Plugin Development Beginner's Guide
- Vladimir Prelovac
- 239字
- 2021-05-21 20:12:22
Time for action – Add a security nonce
- Open the
wp-live-blogroll.js.phpfile and add create a nonce at the beginning of the script:function WPLiveRoll_ScriptsAction() { global $wp_live_blogroll_plugin_url; if (!is_admin()) { // create a nonce $nonce = wp_create_nonce('wp-live-blogroll'); wp_enqueue_script('jquery'); wp_enqueue_script('wp_live_roll_script', $wp_live_blogroll_plugin_url.'/wp-live-blogroll.js', array('jquery')); } } - Modify the Ajax call to include the generated nonce as an additional parameter:
$.ajax({ type: "GET", url: LiverollSettings.plugin_url + '/wp-live-blogroll-ajax.php', timeout: 3000, data: { link_url: this.href, _ajax_nonce: '<?php echo $nonce; ?>' }, success: function(msg) { - Modify
wp-live-blogroll-ajax.phpand add this check at the beginning of Ajax handler function:function WPLiveRoll_Handle ajax($link_url) { // check security check_ajax_referer( "wp-live-blogroll" );
With this simple modification, we have made sure that our Ajax handling script is used only when our plugin calls it.
What just happened?
When our script is run the next time, a unique nonce is created using the wp_create_nonce() function. We use a nonce identifier as a parameter:
$nonce = wp_create_nonce( 'wp-live-blogroll' );
We then pass this nonce as the Ajax_nonce parameter. WordPress checks this parameter automatically in the check_ajax_referer function, which also uses the nonce identifier parameter:
check_ajax_referer( "wp-live-blogroll" );
If the check fails, the script will simply exit at that point (internally, die(-1) happens).
Note
Quick reference
wp_create_nonce(nonce_id): It creates a unique nonce using the identifier.
check_ajax_referer(nonce_id): It is used to check Ajax nonces; passed as the ajax_nonce parameter, using the nonce identifier.
To read more about possible security implication and Cross-Site Request Forgery (CSRF), visit http://en.wikipedia.org/wiki/Cross-site_request_forgery.
- ANSYS19.0實(shí)例詳解
- User Training for Busy Programmers
- Excel 數(shù)據(jù)處理與分析實(shí)例教程(第2版)
- Moldflow模流分析與工程應(yīng)用
- 中文版Maya 2012實(shí)用教程(第2版)
- Premiere Pro 2022從新手到高手
- AI短視頻生成與剪輯實(shí)戰(zhàn)108招:ChatGPT+剪映
- Small Business Server 2008 – Installation, Migration, and Configuration
- Apache Solr 3.1 Cookbook
- Choosing an Open Source CMS: Beginner's Guide
- IBM Lotus Notes and Domino 8.5.1
- 科技繪圖/科研論文圖/論文配圖設(shè)計(jì)與創(chuàng)作自學(xué)手冊(cè):科研動(dòng)畫篇
- 好用,Excel數(shù)據(jù)處理高手
- 中文版Photoshop 2023從入門到精通
- LaTeX論文寫作教程