Implement nonce verification for Ajax calls

rtCamp · Feb 21, 2024 · c383f14 · c383f14
1 parent 0065784
commit c383f14
Show file tree

Hide file tree

Showing 5 changed files with 13,529 additions and 2 deletions.
diff --git a/admin/js/build/rt-transcoder-block-editor-support.build.js b/admin/js/build/rt-transcoder-block-editor-support.build.js
diff --git a/admin/js/rt-transcoder-admin.js b/admin/js/rt-transcoder-admin.js
@@ -45,7 +45,8 @@
 					if ( confirm( rt_transcoder_script.disable_encoding ) ) {
 
 						var data = {
-							action: 'rt_disable_transcoding'
+							action: 'rt_disable_transcoding',
+							security: rt_transcoder_script.security_nonce
 						};
 
 						if ( $( this ).next( 'img' ).length === 0 ) {

diff --git a/admin/rt-transcoder-admin.php b/admin/rt-transcoder-admin.php
@@ -202,6 +202,7 @@ public function enqueue_scripts_styles() {
 			'enable_encoding'      => esc_html__( 'Are you sure you want to enable the transcoding service?', 'transcoder' ),
 			'something_went_wrong' => esc_html__( 'Something went wrong. Please ', 'transcoder' ) . '<a href onclick="location.reload();">' . esc_html__( 'refresh', 'transcoder' ) . '</a>' . esc_html__( ' page.', 'transcoder' ),
 			'error_empty_key'      => esc_html__( 'Please enter the license key.', 'transcoder' ),
+			'security_nonce'       => esc_js( wp_create_nonce( 'check-transcoder-ajax-nonce' ) )
 		);
 
 		wp_localize_script( 'rt-transcoder-main', 'rt_transcoder_script', $localize_script_data );

diff --git a/admin/rt-transcoder-handler.php b/admin/rt-transcoder-handler.php
@@ -1269,6 +1269,7 @@ public function handle_callback() {
 	 * @since 1.0.0
 	 */
 	public function hide_transcoding_notice() {
+		check_ajax_referer( 'check-transcoder-ajax-nonce', 'security', true );
 		update_site_option( 'rt-transcoding-service-notice', true );
 		update_site_option( 'rt-transcoding-expansion-notice', true );
 		echo true;
@@ -1281,6 +1282,7 @@ public function hide_transcoding_notice() {
 	 * @since 1.0
 	 */
 	public function enter_api_key() {
+		check_ajax_referer( 'check-transcoder-ajax-nonce', 'security', true );
 		$apikey = transcoder_filter_input( INPUT_GET, 'apikey', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
 		if ( ! empty( $apikey ) ) {
 			echo wp_json_encode( array( 'apikey' => $apikey ) );
@@ -1296,6 +1298,7 @@ public function enter_api_key() {
 	 * @since 1.0.0
 	 */
 	public function disable_transcoding() {
+		check_ajax_referer( 'check-transcoder-ajax-nonce', 'security', true );
 		update_site_option( 'rt-transcoding-api-key', '' );
 		esc_html_e( 'Transcoding disabled successfully.', 'transcoder' );
 		die();
@@ -1307,6 +1310,7 @@ public function disable_transcoding() {
 	 * @since 1.0.0
 	 */
 	public function enable_transcoding() {
+		check_ajax_referer( 'check-transcoder-ajax-nonce', 'security', true );
 		update_site_option( 'rt-transcoding-api-key', $this->stored_api_key );
 		esc_html_e( 'Transcoding enabled successfully.', 'transcoder' );
 		die();