More secure nonce

Automattic · Dec 19, 2024 · 094a30d · 094a30d
1 parent 83c66fd
commit 094a30d
Showing 1 changed file with 14 additions and 21 deletions.
diff --git a/projects/packages/jetpack-mu-wpcom/src/features/post-categories/quick-actions.php b/projects/packages/jetpack-mu-wpcom/src/features/post-categories/quick-actions.php
@@ -23,15 +23,12 @@ function wpcom_add_set_default_category_quick_action( $actions, $category ) {
 		return $actions;
 	}
 
-	$link = add_query_arg(
-		array(
-			'category' => $category->term_id,
-			'action'   => 'wpcom-set-default-category',
-		)
-	);
-	$link = wp_nonce_url( $link, 'wpcom-set-default-category' );
+	$action = 'set-default';
+
+	$link = add_query_arg( array( $action => $category->term_id ) );
+	$link = wp_nonce_url( $link, $action . '_' . $category->term_id );
 
-	$actions['set-default'] = sprintf(
+	$actions[ $action ] = sprintf(
 		'<a href="%1$s" aria-label="%2$s">%3$s</a>',
 		esc_url( $link ),
 		/* translators: category name */
@@ -46,37 +43,33 @@ function wpcom_add_set_default_category_quick_action( $actions, $category ) {
  * Changes the default post category.
  */
 function wpcom_set_default_category() {
-	if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'wpcom-set-default-category' ) ) {
+	if ( ! isset( $_GET['taxonomy'] ) || 'category' !== sanitize_text_field( wp_unslash( $_GET['taxonomy'] ) ) ) {
 		return;
 	}
 
 	if ( ! current_user_can( 'manage_options' ) ) {
 		return;
 	}
 
-	if ( ! isset( $_GET['taxonomy'] ) || 'category' !== sanitize_text_field( wp_unslash( $_GET['taxonomy'] ) ) ) {
-		return;
-	}
+	$action = 'set-default';
 
-	if ( ! isset( $_GET['action'] ) || 'wpcom-set-default-category' !== sanitize_text_field( wp_unslash( $_GET['action'] ) ) ) {
+	if ( ! isset( $_GET[ $action ] ) ) {
 		return;
 	}
 
-	if ( ! isset( $_GET['category'] ) ) {
+	$category_id = sanitize_text_field( wp_unslash( $_GET[ $action ] ) );
+	if ( ! is_numeric( $category_id ) ) {
 		return;
 	}
 
-	$new_default_category_id = sanitize_text_field( wp_unslash( $_GET['category'] ) );
-	if ( ! is_numeric( $new_default_category_id ) ) {
-		return;
-	}
+	check_admin_referer( $action . '_' . $category_id );
 
-	$new_default_category = get_category( (int) $new_default_category_id );
-	if ( is_wp_error( $new_default_category ) || ! $new_default_category ) {
+	$category = get_category( (int) $category_id );
+	if ( is_wp_error( $category ) || ! $category ) {
 		return;
 	}
 
-	update_option( 'default_category', $new_default_category->term_id );
+	update_option( 'default_category', $category->term_id );
 
 	add_action(
 		'admin_notices',