Add nonces in admin-ajax.php

Author: evgenyvolferts

class.tilda-admin.php

@@ -458,6 +458,10 @@ public static function ajax_add_new_key() {
 			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
 		}
 
+		if ( ! wp_verify_nonce( $_POST['t_nonce'], 't_add_new_key' ) ) {
+			wp_die( '<p>' . __( 'Invalid request' ) . '<p>', 403 );
+		}
+
 		$request  = Tilda_Admin::options_sanitize( $_POST );
 		$defaults = [
 			'store_html_only'   => true,
@@ -517,6 +521,10 @@ public static function ajax_delete_key() {
 			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
 		}
 
+		if ( ! wp_verify_nonce( $_GET['t_nonce'], 't_delete_key' ) ) {
+			wp_die( '<p>' . __( 'Invalid request' ) . '<p>', 403 );
+		}
+
 		$request = Tilda_Admin::options_sanitize( $_GET );
 
 		if ( ! isset( $request['id'] ) ) {
@@ -539,6 +547,10 @@ public static function ajax_update_key() {
 			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
 		}
 
+		if ( ! wp_verify_nonce( $_GET['t_nonce'], 't_update_key' ) ) {
+			wp_die( '<p>' . __( 'Invalid request' ) . '<p>', 403 );
+		}
+
 		$request = Tilda_Admin::options_sanitize( $_GET );
 
 		if ( ! isset( $request['id'] ) ) {
@@ -568,6 +580,10 @@ public static function ajax_refresh_key() {
 			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
 		}
 
+		if ( ! wp_verify_nonce( $_GET['t_nonce'], 't_refresh_key' ) ) {
+			wp_die( '<p>' . __( 'Invalid request' ) . '<p>', 403 );
+		}
+
 		$request = Tilda_Admin::options_sanitize( $_GET );
 
 		if ( empty( $request['id'] ) ) {
@@ -605,6 +621,10 @@ public static function ajax_get_projects() {
 			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
 		}
 
+		if ( ! wp_verify_nonce( $_GET['t_nonce'], 't_get_projects' ) ) {
+			wp_die( '<p>' . __( 'Invalid request' ) . '<p>', 403 );
+		}
+
 		$projects = Tilda::get_local_projects();
 		if ( empty( $projects ) ) {
 			$projects = [];
@@ -620,6 +640,10 @@ public static function ajax_update_project() {
 			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
 		}
 
+		if ( ! wp_verify_nonce( $_POST['t_nonce'], 't_update_project' ) ) {
+			wp_die( '<p>' . __( 'Invalid request' ) . '<p>', 403 );
+		}
+
 		$request = Tilda_Admin::project_sanitize( $_POST );
 
 		if ( ! isset( $request['id'] ) ) {
@@ -646,6 +670,10 @@ public static function ajax_get_keys() {
 			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
 		}
 
+		if ( ! wp_verify_nonce( $_POST['t_nonce'], 't_get_keys' ) ) {
+			wp_die( '<p>' . __( 'Invalid request' ) . '<p>', 403 );
+		}
+
 		wp_send_json( Tilda::get_local_keys(), 200 );
 	}
 
@@ -657,6 +685,10 @@ public static function ajax_update_common_settings() {
 			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
 		}
 
+		if ( ! wp_verify_nonce( $_POST['t_nonce'], 't_update_common_settings' ) ) {
+			wp_die( '<p>' . __( 'Invalid request' ) . '<p>', 403 );
+		}
+
 		$options = get_option( Tilda_Admin::OPTION_OPTIONS );
 		$request = Tilda_Admin::options_sanitize( $_POST );
 
@@ -1362,6 +1394,10 @@ public static function ajax_sync() {
 			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
 		}
 
+		if ( ! wp_verify_nonce( $_POST['t_nonce'], 't_admin_sync' ) ) {
+			wp_die( '<p>' . __( 'Invalid request' ) . '<p>', 403 );
+		}
+
 		$arResult = [];
 		if ( empty( $_REQUEST['page_id'] ) || empty( $_REQUEST['project_id'] ) || empty( $_REQUEST['post_id'] ) ) {
 			$arResult['error'] = __( 'Bad request line. Missing parameter: projectid', 'tilda' );
@@ -1414,6 +1450,10 @@ public static function ajax_export_file() {
 			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
 		}
 
+		if ( ! wp_verify_nonce( $_POST['t_nonce'], 't_admin_export_file' ) ) {
+			wp_die( '<p>' . __( 'Invalid request' ) . '<p>', 403 );
+		}
+
 		if ( empty( self::$ts_start_plugin ) ) {
 			self::$ts_start_plugin = time();
 		}
@@ -1498,6 +1538,10 @@ public static function ajax_switcher_status() {
 			wp_die( '<p>' . __( 'You need a higher level of permission.' ) . '<p>', 403 );
 		}
 
+		if ( ! wp_verify_nonce( $_POST['t_nonce'], 't_admin_switcher_status' ) ) {
+			wp_die( '<p>' . __( 'Invalid request' ) . '<p>', 403 );
+		}
+
 		if (
 			empty( $_REQUEST['post_id'] )
 			|| empty( $_REQUEST['tilda_status'] )

js/configuration.js

@@ -145,23 +145,23 @@
         w.switchStore = function (element, id) {
             var checkbox = $('#store_checkbox_' + id);
             var current = checkbox.prop('checked');
-            $('#store_checkbox_' + id).prop('checked', !current);
+            checkbox.prop('checked', !current);
             $(element).attr('src', (!current) ? imgSwitcherOn : imgSwitcherOff);
             ajaxChangeKey(id, 'store_html_only', !current);
         }
 
         w.switchApplyCss = function (element, id) {
             var checkbox = $('#apply_css_checkbox_' + id);
             var current = checkbox.prop('checked');
-            $('#apply_css_checkbox_' + id).prop('checked', !current);
+            checkbox.prop('checked', !current);
             $(element).attr('src', (!current) ? imgSwitcherOn : imgSwitcherOff);
             ajaxChangeKey(id, 'apply_css_in_list', !current);
         }
 
         w.switchEnableProject = function (element, id) {
             var checkbox = $('#project_enable_checkbox_' + id);
             var current = checkbox.prop('checked');
-            $('#project_enable_checkbox_' + id).prop('checked', !current);
+            checkbox.prop('checked', !current);
             $(element).attr('src', (!current) ? imgSwitcherOn : imgSwitcherOff);
             ajaxChangeProjectEnabled(id, !current);
         }
@@ -204,38 +204,77 @@
 
         function ajaxGetKeyList() {
             return new Promise(function (resolve) {
-                $.post(w.ajaxurl, {action: 'get_keys'}, resolve);
+                $.post(
+                    w.ajaxurl,
+                    {
+                        action: 'get_keys',
+                        t_nonce: $("#t_get_keys_nonce").val()
+                    },
+                    resolve
+                );
             });
         }
 
         function ajaxGetProjectList() {
             return new Promise(function (resolve) {
-                $.get(w.ajaxurl, {action: 'get_projects'}, resolve);
+                $.get(
+                    w.ajaxurl,
+                    {
+                        action: 'get_projects',
+                        t_nonce: $("#t_get_projects_nonce").val()
+                    },
+                    resolve
+                );
             });
         }
 
         function ajaxKeyRefresh(id) {
             return new Promise(function (resolve) {
-                $.get(w.ajaxurl, {action: 'refresh_key', id: id}, resolve);
+                $.get(
+                    w.ajaxurl,
+                    {
+                        action: 'refresh_key',
+                        id: id,
+                        t_nonce: $("#t_refresh_key_nonce").val()
+                    },
+                    resolve
+                );
             });
         }
 
         function ajaxKeyDelete(id) {
             return new Promise(function (resolve) {
-                $.get(w.ajaxurl, {action: 'delete_key', id: id}, resolve);
+                $.get(
+                    w.ajaxurl,
+                    {
+                        action: 'delete_key',
+                        id: id,
+                        t_nonce: $("#t_delete_key_nonce").val()
+                    },
+                    resolve
+                );
             });
         }
 
         function ajaxChangeKey(id, param_name, param_value) {
-            var data = {action: 'update_key', id: id};
+            var data = {
+                action: 'update_key',
+                id: id,
+                t_nonce: $("#t_update_key_nonce").val()
+            };
             data[param_name] = param_value;
             return new Promise(function (resolve) {
                 $.get(w.ajaxurl, data, resolve);
             });
         }
 
         function ajaxChangeProjectEnabled(id, newvalue) {
-            var data = {action: 'update_project', id: id, enabled: newvalue};
+            var data = {
+                action: 'update_project',
+                id: id,
+                enabled: newvalue,
+                t_nonce: $("#t_update_project_nonce").val()
+            };
             return new Promise(function (resolve) {
                 $.post(w.ajaxurl, data, resolve);
             });
@@ -248,6 +287,7 @@
                 secret_key: secret_key,
                 store_html_only: store_html_only,
                 apply_css_in_list: apply_css_in_list,
+                t_nonce: $("#t_add_new_key_nonce").val()
             }
             return new Promise(function(resolve, reject){
                 $.post(w.ajaxurl, data)
@@ -268,7 +308,8 @@
             var data = {
                 action: 'tilda_admin_update_common_settings',
                 enabledposttypes: enabledposttypes,
-                storageforfiles: $commonSettingsForm.storageforfiles.val()
+                storageforfiles: $commonSettingsForm.storageforfiles.val(),
+                t_nonce: $("#t_update_common_settings_nonce").val()
             };
 
             return new Promise(function (resolve) {

js/plugin.js

@@ -67,9 +67,10 @@
             $tilda_status.val(val);
 
             var data = {
-                'action': 'tilda_admin_switcher_status',
-                'tilda_status': val,
-                'post_id': $('#post_ID').val()
+                action: 'tilda_admin_switcher_status',
+                tilda_status: val,
+                post_id: $('#post_ID').val(),
+                t_nonce: $("#t_admin_switcher_status_nonce").val()
             };
 
             $.post('admin-ajax.php', data, function(json) {
@@ -135,6 +136,7 @@
         function tilda_export_files() {
             var data = {
                 action: 'tilda_admin_export_file',
+                t_nonce: $("#t_admin_export_file_nonce").val()
             };
 
             $.post('admin-ajax.php', data, function(json) {
@@ -173,7 +175,8 @@
                 action: 'tilda_admin_sync',
                 project_id: $project_id,
                 page_id: $page_id,
-                post_id: $post_id
+                post_id: $post_id,
+                t_nonce: $("#t_admin_sync_nonce").val()
             };
 
             $('#tilda_progress_bar').hide();

readme.txt

@@ -4,7 +4,7 @@ Donate link: https://wordpress.org/plugins/tilda-publishing/
 Tags: blog, bulk, convert, crawl, data, import, importer, migrate, move, posts, publishing, tilda, export
 Requires at least: 3.0.1
 Tested up to: 6.4.3
-Stable tag: 0.3.23
+Stable tag: 0.3.24
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -62,6 +62,9 @@ A: Please create an issue on the [GitHub page](https://github.com/TildaPublishin
 
 == Changelog ==
 
+= 0.3.24 =
+* Add nonces in admin-ajax.php
+
 = 0.3.23 =
 * Fix unicode in zero forms
 

tilda-wordpress-plugin.php

@@ -2,11 +2,13 @@
 /*
 Plugin Name: Tilda Publishing
 Description: Tilda позволяет делать яркую подачу материала, качественную верстку и эффектную типографику, близкую к журнальной. Каким бы ни был ваш контент — Tilda знает, как его показать. С чего начать: 1) Нажмите ссылку «Активировать» слева от этого описания; 2) <a href="http://www.tilda.cc/" target="_blank">Зарегистрируйтесь</a>, чтобы получить API-ключ; 3) Перейдите на страницу настройки Tilda Publishing и введите свой API-ключ. Читайте подробную инструкцию по подключению.
-Version: 0.3.23
+Version: 0.3.24
 Author: Tilda Publishing
 License: GPLv2 or later
 Text Domain: api tilda
 
+Update 0.3.24 - add nonces in admin-ajax.php
+
 Update 0.3.23 - fix unicode in zero forms
 
 Update 0.3.22 - fix cURL encoding
@@ -128,7 +130,7 @@
 	exit;
 }
 
-define( 'TILDA_VERSION', '0.3.23' );
+define( 'TILDA_VERSION', '0.3.24' );
 define( 'TILDA_MINIMUM_WP_VERSION', '3.1' );
 define( 'TILDA_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
 define( 'TILDA_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );