mirror of
https://github.com/WordPress/WordPress.git
synced 2024-12-23 01:27:36 +01:00
Theme Customizer: Add a signature to preview requests to be super-double-ultra-sure that the customizer generated the preview. Redirects can be sneaky. fixes #20507, see #19910.
git-svn-id: http://core.svn.wordpress.org/trunk@20925 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
ea95fd213b
commit
e178acf108
@ -264,6 +264,7 @@ final class WP_Customize_Manager {
|
||||
wp_enqueue_script( 'customize-preview' );
|
||||
add_action( 'wp_head', array( $this, 'customize_preview_base' ) );
|
||||
add_action( 'wp_footer', array( $this, 'customize_preview_settings' ), 20 );
|
||||
add_action( 'shutdown', array( $this, 'customize_preview_signature' ), 1000 );
|
||||
|
||||
foreach ( $this->settings as $setting ) {
|
||||
$setting->preview();
|
||||
@ -302,6 +303,15 @@ final class WP_Customize_Manager {
|
||||
<?php
|
||||
}
|
||||
|
||||
/**
|
||||
* Prints a signature so we can ensure the customizer was properly executed.
|
||||
*
|
||||
* @since 3.4.0
|
||||
*/
|
||||
public function customize_preview_signature() {
|
||||
echo 'WP_CUSTOMIZER_SIGNATURE';
|
||||
}
|
||||
|
||||
/**
|
||||
* Is it a theme preview?
|
||||
*
|
||||
|
@ -405,7 +405,9 @@
|
||||
data: this.query() || {},
|
||||
success: function( response ) {
|
||||
var iframe = self.loader()[0].contentWindow,
|
||||
location = self.request.getResponseHeader('Location');
|
||||
location = self.request.getResponseHeader('Location'),
|
||||
signature = 'WP_CUSTOMIZER_SIGNATURE',
|
||||
index;
|
||||
|
||||
// Check if the location response header differs from the current URL.
|
||||
// If so, the request was redirected; try loading the requested page.
|
||||
@ -414,6 +416,14 @@
|
||||
return;
|
||||
}
|
||||
|
||||
// Check for a signature in the request.
|
||||
index = response.lastIndexOf( signature );
|
||||
if ( -1 === index || index < response.lastIndexOf('</html>') )
|
||||
return;
|
||||
|
||||
// Strip the signature from the request.
|
||||
response = response.slice( 0, index ) + response.slice( index + signature.length );
|
||||
|
||||
self.loader().one( 'load', self.loaded );
|
||||
|
||||
iframe.document.open();
|
||||
|
Loading…
Reference in New Issue
Block a user