From 309a45fb2a22778eeb704ebb1cb1f4223296de72 Mon Sep 17 00:00:00 2001 From: Harald Eilertsen Date: Fri, 17 Sep 2021 17:04:58 +0200 Subject: Add CSRF checks to new venue form --- includes/admin/views/_new_venue_form.php | 1 + includes/admin/views/giglog_admin_page.php | 7 +++++++ 2 files changed, 8 insertions(+) (limited to 'includes/admin') diff --git a/includes/admin/views/_new_venue_form.php b/includes/admin/views/_new_venue_form.php index d17f5e0..13d70f6 100644 --- a/includes/admin/views/_new_venue_form.php +++ b/includes/admin/views/_new_venue_form.php @@ -15,6 +15,7 @@ if ( !class_exists( "GiglogAdmin_NewVenueForm" ) ) . '

VENUE DETAILS

' . '
' . '
' + . wp_nonce_field( plugin_basename( __FILE__ ), 'giglog_new_venue_nonce' ) . '
' . ' ' . ' ' diff --git a/includes/admin/views/giglog_admin_page.php b/includes/admin/views/giglog_admin_page.php index b7f6247..13c08b9 100644 --- a/includes/admin/views/giglog_admin_page.php +++ b/includes/admin/views/giglog_admin_page.php @@ -167,6 +167,13 @@ if ( !class_exists( 'GiglogAdmin_AdminPage' ) ) { if(isset($_POST['newvenue'])) { + if (!isset($_POST['giglog_new_venue_nonce']) + || wp_verify_nonce($_POST['giglog_new_venue_nonce'], plugin_basename( __FILE__ ))) + { + header("{$_SERVER['SERVER_PROTOCOL']} 403 Forbidden"); + wp_die('CSRF validation failed.', 403); + } + if (empty($_POST['venuename']) || empty($_POST['venuecity'])) { echo ''; } -- cgit v1.2.3