Use nonces in ajax calls

Author: Jacob Middag

src/class-tiny-notices.php

@@ -95,6 +95,8 @@ public function remove($name) {
     }
 
     public function dismiss() {
+        check_ajax_referer('tiny-compress');
+
         if (empty($_POST['name'])) {
             echo json_encode(false);
             exit();

src/class-tiny-plugin.php

@@ -60,8 +60,10 @@ public function enqueue_scripts($hook) {
         wp_register_script($handle, plugins_url('/scripts/admin.js', __FILE__),
             array(), self::plugin_version(), true);
 
-        wp_localize_script($handle, 'tinyCompressL10n', array(
-            'bulkAction' => self::translate('Compress all uncompressed sizes'),
+        // Wordpress < 3.3 does not handle multi dimensional arrays
+        wp_localize_script($handle, 'tinyCompress', array(
+            'nonce' => wp_create_nonce('tiny-compress'),
+            'L10nBulkAction' => self::translate('Compress all uncompressed sizes'),
         ));
         wp_enqueue_script($handle);
     }
@@ -90,15 +92,17 @@ public function compress_attachment($metadata, $attachment_id) {
     }
 
     public function compress_image() {
-        $id = $_POST['id'];
+        check_ajax_referer('tiny-compress');
+
         if (!current_user_can('upload_files')) {
             echo self::translate("You don't have permission to work with uploaded files") . '.';
             exit();
         }
-        if (!$id) {
+        if (empty($_POST['id'])) {
             echo self::translate("Not a valid media file") . '.';
             exit();
         }
+        $id = intval($_POST['id']);
         $metadata = wp_get_attachment_metadata($id);
         if (!is_array($metadata)) {
             echo self::translate("Could not find metadata of media file") . '.';

src/scripts/admin.js

@@ -6,6 +6,7 @@
     element.closest('td').find('.spinner').css('display', 'inline')
     jQuery.post(
       ajaxurl, {
+        _wpnonce: tinyCompress.nonce,
         action: 'tiny_compress_image',
         id: element.data('id') || element.attr('data-id')
       }, function (response) {
@@ -27,8 +28,8 @@
       jQuery('button.tiny-compress').attr('disabled', null)
     }
 
-    jQuery('<option>').val('tiny_bulk_compress').text(tinyCompressL10n.bulkAction).appendTo('select[name="action"]')
-    jQuery('<option>').val('tiny_bulk_compress').text(tinyCompressL10n.bulkAction).appendTo('select[name="action2"]')
+    jQuery('<option>').val('tiny_bulk_compress').text(tinyCompress.L10nBulkAction).appendTo('select[name="action"]')
+    jQuery('<option>').val('tiny_bulk_compress').text(tinyCompress.L10nBulkAction).appendTo('select[name="action2"]')
   }
 
   if (adminpage === "options-media-php") {
@@ -40,6 +41,7 @@
     element.attr('disabled', 'disabled');
     jQuery.post(
       ajaxurl, {
+        _wpnonce: tinyCompress.nonce,
         action: 'tiny_dismiss_notice',
         name: element.data('name') || element.attr('data-name')
       }, function (response) {