- WordPress Plugin Development Beginner's Guide
- Vladimir Prelovac
- 239字
- 2021-05-21 20:12:22
Time for action – Add a security nonce
- Open the
wp-live-blogroll.js.phpfile and add create a nonce at the beginning of the script:function WPLiveRoll_ScriptsAction() { global $wp_live_blogroll_plugin_url; if (!is_admin()) { // create a nonce $nonce = wp_create_nonce('wp-live-blogroll'); wp_enqueue_script('jquery'); wp_enqueue_script('wp_live_roll_script', $wp_live_blogroll_plugin_url.'/wp-live-blogroll.js', array('jquery')); } } - Modify the Ajax call to include the generated nonce as an additional parameter:
$.ajax({ type: "GET", url: LiverollSettings.plugin_url + '/wp-live-blogroll-ajax.php', timeout: 3000, data: { link_url: this.href, _ajax_nonce: '<?php echo $nonce; ?>' }, success: function(msg) { - Modify
wp-live-blogroll-ajax.phpand add this check at the beginning of Ajax handler function:function WPLiveRoll_Handle ajax($link_url) { // check security check_ajax_referer( "wp-live-blogroll" );
With this simple modification, we have made sure that our Ajax handling script is used only when our plugin calls it.
What just happened?
When our script is run the next time, a unique nonce is created using the wp_create_nonce() function. We use a nonce identifier as a parameter:
$nonce = wp_create_nonce( 'wp-live-blogroll' );
We then pass this nonce as the Ajax_nonce parameter. WordPress checks this parameter automatically in the check_ajax_referer function, which also uses the nonce identifier parameter:
check_ajax_referer( "wp-live-blogroll" );
If the check fails, the script will simply exit at that point (internally, die(-1) happens).
Note
Quick reference
wp_create_nonce(nonce_id): It creates a unique nonce using the identifier.
check_ajax_referer(nonce_id): It is used to check Ajax nonces; passed as the ajax_nonce parameter, using the nonce identifier.
To read more about possible security implication and Cross-Site Request Forgery (CSRF), visit http://en.wikipedia.org/wiki/Cross-site_request_forgery.
- HTML5 Multimedia Development Cookbook
- CAXA CAD電子圖板2020工程制圖
- 做合成:Photoshop構圖+透視+紋理+造型+調色技術修煉
- 中文版After Effects 2021入門教程
- Solid Works 2021產品設計標準教程
- Adobe創意大學Illustrator產品專家認證標準教材(CS6修訂版)
- Learning Facebook Application Development
- YUI 2.8: Learning the Library
- 板繪教室:SAI零基礎日系動漫插畫入門教程
- 二維計算機繪圖教程:二維CAD工程師取證全程指導
- Excel數據管理:不加班的秘密
- Photoshop CS6實戰從入門到精通(超值版)
- 中文版Photoshop CS5平面設計實用教程(第2版)
- Flash with Drupal
- 中文版3ds Max 2012基礎培訓教程(第2版)