Don't pass along x-craft-(live-)preview params if unverified

#15605
craftcms · Aug 29, 2024 · ca91aa3 · ca91aa3
1 parent 4dc0eed
commit ca91aa3
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG-WIP.md b/CHANGELOG-WIP.md
@@ -13,4 +13,5 @@
 ### System
 - MySQL mutex locks and PHP session names are now namespaced using the application ID combined with the environment name. ([#15313](https://github.com/craftcms/cms/issues/15313))
 - `x-craft-preview` and `x-craft-live-preview` params are now hashed, and `craft\web\Request::getIsPreview()` will only return `true` if the param validates. ([#15605](https://github.com/craftcms/cms/discussions/15605))
+- Generated URLs no longer include `x-craft-preview` or `x-craft-live-preview` query string params based on the requested URL, if either were set to an unverified string. ([#15605](https://github.com/craftcms/cms/discussions/15605))
 - Updated Twig to 3.12. ([#15568](https://github.com/craftcms/cms/discussions/15568))
diff --git a/src/helpers/UrlHelper.php b/src/helpers/UrlHelper.php
@@ -638,7 +638,11 @@ private static function _createUrl(
                 if ($addToken && !isset($params[$generalConfig->tokenParam]) && ($token = $request->getToken()) !== null) {
                     $params[$generalConfig->tokenParam] = $token;
                 }
-                if (!isset($params['x-craft-preview']) && !isset($params['x-craft-live-preview'])) {
+                if (
+                    !isset($params['x-craft-preview']) &&
+                    !isset($params['x-craft-live-preview']) &&
+                    $request->getIsPreview()
+                ) {
                     if (($previewToken = $request->getQueryParam('x-craft-preview')) !== null) {
                         $params['x-craft-preview'] = $previewToken;
                     } elseif (($previewToken = $request->getQueryParam('x-craft-live-preview')) !== null) {