Verify nonce manually before using $_POST variables

Automattic · Jun 27, 2024 · 03e8cae · 03e8cae
1 parent 7436861
commit 03e8cae
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/modules/custom-status/custom-status.php b/modules/custom-status/custom-status.php
@@ -1253,8 +1253,15 @@ public function print_configure_view() {
 					'term-id' => $term_id,
 				] );
 
-				$name        = ( isset( $_POST['name'] ) ) ? stripslashes( $_POST['name'] ) : $custom_status->name;
-				$description = ( isset( $_POST['description'] ) ) ? strip_tags( stripslashes( $_POST['description'] ) ) : $custom_status->description;
+				$name        = $custom_status->name;
+				$description = $custom_status->description;
+
+				$is_nonce_valid = isset( $_POST['_wpnonce'] ) && wp_verify_nonce( wp_strip_all_tags( $_POST['_wpnonce'] ), 'edit-status' );
+
+				if ( $is_nonce_valid ) {
+					$name        = ( isset( $_POST['name'] ) ) ? wp_strip_all_tags( $_POST['name'] ) : $custom_status->name;
+					$description = ( isset( $_POST['description'] ) ) ? wp_strip_all_tags( $_POST['description'] ) : $custom_status->description;
+				}
 
 				include __DIR__ . '/views/edit-status.php';
 			} else {

diff --git a/modules/custom-status/views/edit-status.php b/modules/custom-status/views/edit-status.php
@@ -7,6 +7,7 @@
 ?>
 
 <div id="ajax-response"></div>
+
 <form method="post" action="<?php echo esc_url( $edit_status_link ); ?>" >
 	<input type="hidden" name="term-id" value="<?php echo esc_attr( $term_id ); ?>" />