Add nonce for widget accessibility mode.

aaroncampbell · aaroncampbell · commit 285b04d73894 · 2017-01-11T01:51:16.000Z
Props vortfu. See #23328. Merges [39765] to 3.9 branch. git-svn-id: https://develop.svn.wordpress.org/branches/3.9@39769 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-admin/includes/screen.php b/src/wp-admin/includes/screen.php
@@ -969,7 +969,8 @@ public function show_screen_options() {
 
 		switch ( $this->id ) {
 			case 'widgets':
-				$this->_screen_settings = '<p><a id="access-on" href="widgets.php?widgets-access=on">' . __('Enable accessibility mode') . '</a><a id="access-off" href="widgets.php?widgets-access=off">' . __('Disable accessibility mode') . "</a></p>\n";
+				$nonce = wp_create_nonce( 'widgets-access' );
+				$this->_screen_settings = '<p><a id="access-on" href="widgets.php?widgets-access=on&_wpnonce=' . urlencode( $nonce ) . '">' . __('Enable accessibility mode') . '</a><a id="access-off" href="widgets.php?widgets-access=off&_wpnonce=' . urlencode( $nonce ) . '">' . __('Disable accessibility mode') . "</a></p>\n";
 				break;
 			default:
 				$this->_screen_settings = '';
diff --git a/src/wp-admin/widgets.php b/src/wp-admin/widgets.php
@@ -17,6 +17,8 @@
 
 $widgets_access = get_user_setting( 'widgets_access' );
 if ( isset($_GET['widgets-access']) ) {
+	check_admin_referer( 'widgets-access' );
+
 	$widgets_access = 'on' == $_GET['widgets-access'] ? 'on' : 'off';
 	set_user_setting( 'widgets_access', $widgets_access );
 }

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,8 @@`
`17`	`17`
`18`	`18`	`$widgets_access = get_user_setting( 'widgets_access' );`
`19`	`19`	`if ( isset($_GET['widgets-access']) ) {`
	`20`	`+ check_admin_referer( 'widgets-access' );`
	`21`	`+`
`20`	`22`	`$widgets_access = 'on' == $_GET['widgets-access'] ? 'on' : 'off';`
`21`	`23`	`set_user_setting( 'widgets_access', $widgets_access );`
`22`	`24`	`}`