Changeset 3436734
- Timestamp:
- 01/10/2026 05:10:35 PM (3 months ago)
- Location:
- gmap-embed
- Files:
-
- 4 edited
-
tags/1.9.4/includes/Classes/Bootstrap.php (modified) (2 diffs)
-
tags/1.9.4/includes/Traits/MarkerCRUD.php (modified) (2 diffs)
-
trunk/includes/Classes/Bootstrap.php (modified) (2 diffs)
-
trunk/includes/traits/MarkerCRUD.php (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
gmap-embed/tags/1.9.4/includes/Classes/Bootstrap.php
r3434674 r3436734 158 158 $nonce_action = $action; 159 159 160 // Special handling for wpgmapembed_p_get_markers_by_map_id nonce 160 // Special handling for wpgmapembed_p_get_markers_by_map_id nonce (Cache compatibility) 161 161 if ($action === 'wpgmapembed_p_get_markers_by_map_id') { 162 $ nonce_field = '_wgm_p_nonce';163 $nonce_action = 'wgm_marker_render';162 $this->$method(); 163 return; 164 164 } 165 165 … … 187 187 // For nopriv actions, only allow safe ones 188 188 add_action('wp_ajax_nopriv_wpgmapembed_p_get_markers_by_map_id', function () { 189 $nonce = isset($_REQUEST['_wgm_p_nonce']) ? sanitize_text_field(wp_unslash($_REQUEST['_wgm_p_nonce'])) : '';190 if (empty($nonce) || !wp_verify_nonce($nonce, 'wgm_marker_render')) {191 wp_send_json_error(['message' => esc_html__('Invalid nonce.', 'gmap-embed')], 403);192 }193 189 $this->p_get_markers_by_map_id(); 194 190 }); -
gmap-embed/tags/1.9.4/includes/Traits/MarkerCRUD.php
r3434674 r3436734 400 400 public function p_get_markers_by_map_id() 401 401 { 402 403 global $wpdb; 404 // Nonce verification 405 if ( 406 !isset($_POST['_wgm_p_nonce']) || 407 !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wgm_p_nonce'])), 'wgm_marker_render') 408 ) { 402 global $wpdb; 403 404 $map_id = isset($_POST['data']['map_id']) ? intval(sanitize_text_field(wp_unslash($_POST['data']['map_id']))) : 0; 405 $nonce = isset($_POST['_wgm_p_nonce']) ? sanitize_text_field(wp_unslash($_POST['_wgm_p_nonce'])) : ''; 406 407 /** 408 * Technical Solution for Cache Plugins (e.g. LiteSpeed): 409 * 410 * Nonces are incompatible with heavy caching because they expire while the page remains cached. 411 * For "Read" actions like fetching markers, we allow the request if: 412 * 1. A valid nonce is provided. 413 * 2. OR the Map ID corresponds to a valid 'wpgmapembed' post. 414 */ 415 $is_valid_nonce = !empty($nonce) && wp_verify_nonce($nonce, 'wgm_marker_render'); 416 $is_valid_map = ($map_id > 0 && get_post_type($map_id) === 'wpgmapembed'); 417 418 if (!$is_valid_nonce && !$is_valid_map) { 409 419 $return_array = array( 410 420 'responseCode' => 0, 411 'message' => esc_html__('Invalid request. Please reload and try again.', 'gmap-embed'),421 'message' => esc_html__('Invalid request or Map ID.', 'gmap-embed'), 412 422 ); 413 423 echo wp_json_encode($return_array); … … 415 425 } 416 426 417 $map_id = isset($_POST['data']['map_id']) ? intval(sanitize_text_field(wp_unslash($_POST['data']['map_id']))) : 0;418 427 $filtered_map_markers = array(); 419 428 -
gmap-embed/trunk/includes/Classes/Bootstrap.php
r3434674 r3436734 158 158 $nonce_action = $action; 159 159 160 // Special handling for wpgmapembed_p_get_markers_by_map_id nonce 160 // Special handling for wpgmapembed_p_get_markers_by_map_id nonce (Cache compatibility) 161 161 if ($action === 'wpgmapembed_p_get_markers_by_map_id') { 162 $ nonce_field = '_wgm_p_nonce';163 $nonce_action = 'wgm_marker_render';162 $this->$method(); 163 return; 164 164 } 165 165 … … 187 187 // For nopriv actions, only allow safe ones 188 188 add_action('wp_ajax_nopriv_wpgmapembed_p_get_markers_by_map_id', function () { 189 $nonce = isset($_REQUEST['_wgm_p_nonce']) ? sanitize_text_field(wp_unslash($_REQUEST['_wgm_p_nonce'])) : '';190 if (empty($nonce) || !wp_verify_nonce($nonce, 'wgm_marker_render')) {191 wp_send_json_error(['message' => esc_html__('Invalid nonce.', 'gmap-embed')], 403);192 }193 189 $this->p_get_markers_by_map_id(); 194 190 }); -
gmap-embed/trunk/includes/traits/MarkerCRUD.php
r3434674 r3436734 400 400 public function p_get_markers_by_map_id() 401 401 { 402 403 global $wpdb; 404 // Nonce verification 405 if ( 406 !isset($_POST['_wgm_p_nonce']) || 407 !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wgm_p_nonce'])), 'wgm_marker_render') 408 ) { 402 global $wpdb; 403 404 $map_id = isset($_POST['data']['map_id']) ? intval(sanitize_text_field(wp_unslash($_POST['data']['map_id']))) : 0; 405 $nonce = isset($_POST['_wgm_p_nonce']) ? sanitize_text_field(wp_unslash($_POST['_wgm_p_nonce'])) : ''; 406 407 /** 408 * Technical Solution for Cache Plugins (e.g. LiteSpeed): 409 * 410 * Nonces are incompatible with heavy caching because they expire while the page remains cached. 411 * For "Read" actions like fetching markers, we allow the request if: 412 * 1. A valid nonce is provided. 413 * 2. OR the Map ID corresponds to a valid 'wpgmapembed' post. 414 */ 415 $is_valid_nonce = !empty($nonce) && wp_verify_nonce($nonce, 'wgm_marker_render'); 416 $is_valid_map = ($map_id > 0 && get_post_type($map_id) === 'wpgmapembed'); 417 418 if (!$is_valid_nonce && !$is_valid_map) { 409 419 $return_array = array( 410 420 'responseCode' => 0, 411 'message' => esc_html__('Invalid request. Please reload and try again.', 'gmap-embed'),421 'message' => esc_html__('Invalid request or Map ID.', 'gmap-embed'), 412 422 ); 413 423 echo wp_json_encode($return_array); … … 415 425 } 416 426 417 $map_id = isset($_POST['data']['map_id']) ? intval(sanitize_text_field(wp_unslash($_POST['data']['map_id']))) : 0;418 427 $filtered_map_markers = array(); 419 428
Note: See TracChangeset
for help on using the changeset viewer.