Merge pull request #116 from brettshumaker/fix/export-nonce

Fix/export nonce

trunk/README.txt

@@ -2,9 +2,9 @@
 Contributors: brettshumaker
 Tags: staff list, staff directory, employee list, staff, employee, employees
 Requires at least: 3.0
-Tested up to: 6.3
+Tested up to: 6.3.2
 Requires PHP: 5.4
-Stable tag: 2.2.4
+Stable tag: 2.2.5
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -47,6 +47,9 @@ Alright, here's a few things to try:
 
 == Changelog ==
 
+= 2.2.5 =
+- FIXED: Added security nonces
+
 = 2.2.4 =
 - FIXED: Added additional escaping
 

trunk/admin/class-simple-staff-list-admin.php

@@ -122,11 +122,13 @@ public function enqueue_scripts() {
 	 * @since   2.0
 	 */
 	public function ajax_flush_rewrite_rules() {
+		// Check the security nonce before doing anything.
+		if ( ! isset( $_POST['security'] ) || ! wp_verify_nonce( $_POST['security'], 'sslp_flush_rewrite_rules' ) ) {
+			wp_send_json_error();
+		}
 
 		flush_rewrite_rules();
-
 		wp_send_json_success();
-
 	}
 
 	/**
@@ -626,6 +628,11 @@ public function update_staff_member_order() {
 	 */
 	public function staff_member_export() {
 
+		// Check the security nonce.
+		if ( ! isset( $_POST['security'] ) || ! wp_verify_nonce( $_POST['security'], 'sslp-export-nonce' ) ) {
+			wp_send_json_error( 'Refresh the page and try again.' );
+		}
+
 		$access_type = get_filesystem_method();
 
 		$args = array(

trunk/admin/js/simple-staff-list-admin.js

@@ -52,43 +52,41 @@
 	$( document ).ready(
 		function() {
 
-			// Export button
-			$( 'a.export-button' ).on(
-				'click', function(e){
-					e.preventDefault();
-					$( 'a.export-button' ).after( '<span class="spinner is-active" style="float:none"></span>' );
-
-					var data = {
-						'action': 'staff_member_export',
-					};
-
-					$.post(
-						ajaxurl, data, function( response ){
-
-							if ( response.success && response.data.created_file ) {
-								$( 'a.export-button + .spinner' ).fadeOut(
-									300, function(){
-										$( this ).remove();
-									}
-								);
-								window.location = response.data.url;
-							} else if ( response.success && ! response.data.created_file ) {
-								$( 'a.export-button + .spinner' ).fadeOut(
-									300, function(){
-										$( this ).remove();
-									}
-								);
-								$( 'a.export-button' ).hide().after( '<a class="button button-primary download-button" download="' + response.data.filename + '">Download</a>' );
-								$( 'a.export-button' ).remove();
-								$( 'a.download-button' ).attr( 'href', "data:text/plain," + encodeURIComponent( response.data.content ) );
-							}
+			$('#sslp-export-form').submit(function(e){
+				e.preventDefault();
 
-						}
-					);
+				$( 'input[type="submit"]' ).after( '<span class="spinner is-active" style="float:none"></span>' );
+
+				var formData = new FormData( e.target );
 
+				var data = {
+					'action': 'staff_member_export',
+					'security': formData.get( 'sslp_export_nonce' ),
 				}
-			);
 
+				$.post(
+					ajaxurl, data, function( response ){
+						$( 'input[type="submit"] + .spinner' ).fadeOut(
+							300, function(){
+								$( this ).remove();
+							}
+						);
+
+						if ( response.success && response.data.created_file ) {
+							window.location = response.data.url;
+						} else if ( response.success && ! response.data.created_file ) {
+							$( 'input[type="submit"]' ).hide().after( '<a class="button button-primary download-button" download="' + response.data.filename + '">Download</a>' );
+							$( 'input[type="submit"]' ).remove();
+							$( 'a.download-button' ).attr( 'href', "data:text/plain," + encodeURIComponent( response.data.content ) );
+						} else if ( ! response.success ) {
+							// Display the error message.
+							alert( response.data );
+						}
+
+					}
+				);
+			}
+			);
 		}
 	);
 

trunk/admin/partials/simple-staff-list-export-display.php

@@ -19,11 +19,17 @@
 
 		// Check for file access.
 		$access_type = get_filesystem_method();
-if ( 'direct' !== $access_type ) {
-	$output .= '<p>' . __( "After clicking 'Export Staff Members' a Download button will appear.", 'simple-staff-list' ) . '</p>';
-}
+		if ( 'direct' !== $access_type ) {
+			$output .= '<p>' . __( "After clicking 'Export Staff Members' a Download button will appear.", 'simple-staff-list' ) . '</p>';
+		}
+
+		// Output the form and export button.
+		$output .= '<form id="sslp-export-form" method="post" action="' . admin_url( 'admin-ajax.php' ) . '">';
+			$output .= '<input type="hidden" name="action" value="sslp_export_staff_members">';
+			$output .= '<input type="hidden" name="sslp_export_nonce" value="' . wp_create_nonce( 'sslp-export-nonce' ) . '">';
+			$output .= '<input type="submit" class="button button-primary" value="' . __( 'Export Staff Members', 'simple-staff-list' ) . '">';
+		$output .= '</form>';
 
-		$output .= '<a href="#" class="button button-primary export-button">' . __( 'Export Staff Members', 'simple-staff-list' ) . '</a>';
 	$output     .= '</div>';
 	$output     .= '<div class="sslp-sidebar sslp-column last">';
 		// Get the sidebar.

trunk/admin/partials/simple-staff-list-options-display.php

@@ -33,6 +33,7 @@
 	jQuery(document).ready(function($) {
 		var data = {
 			'action': 'sslp_flush_rewrite_rules',
+			'security': '<?php echo esc_attr( wp_create_nonce( 'sslp_flush_rewrite_rules' ) ); ?>'
 		}
 
 		$.post( "<?php echo esc_attr( admin_url( 'admin-ajax.php' ) ); ?>", data, function(response){});

trunk/includes/class-simple-staff-list.php

@@ -68,7 +68,7 @@ class Simple_Staff_List {
 	public function __construct() {
 
 		$this->plugin_name = 'simple-staff-list';
-		$this->version     = '2.2.4';
+		$this->version     = '2.2.5';
 
 		$this->load_dependencies();
 		$this->set_locale();

trunk/simple-staff-list.php

@@ -15,7 +15,7 @@
  * Plugin Name:       Simple Staff List
  * Plugin URI:        https://wordpress.org/plugins/simple-staff-list/
  * Description:       A simple plugin to build and display a staff listing for your website.
- * Version:           2.2.4
+ * Version:           2.2.5
  * Author:            Brett Shumaker
  * Author URI:        http://www.brettshumaker.com
  * License:           GPL-2.0+