diff options
| author | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2007-05-21 18:37:58 +0000 |
|---|---|---|
| committer | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2007-05-21 18:37:58 +0000 |
| commit | 89fe0ff804e7c6497ebacc8b341ac89974f6f255 (patch) | |
| tree | 3fce310b29c685008fdbb75c5ab531bc3a6ae12a /wp-admin/custom-header.php | |
| parent | a139071806ba941346a109fbefb2d5f22bae1cc4 (diff) | |
| download | wordpress-mu-89fe0ff804e7c6497ebacc8b341ac89974f6f255.tar.gz wordpress-mu-89fe0ff804e7c6497ebacc8b341ac89974f6f255.tar.xz wordpress-mu-89fe0ff804e7c6497ebacc8b341ac89974f6f255.zip | |
WP Merge to rev 5499, this is a big one! Test it before you put it live!
Test only, not for production use yet
git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@972 7be80a69-a1ef-0310-a953-fb0f7c49ff36
Diffstat (limited to 'wp-admin/custom-header.php')
| -rw-r--r-- | wp-admin/custom-header.php | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/wp-admin/custom-header.php b/wp-admin/custom-header.php index 5daad1e..d18ed87 100644 --- a/wp-admin/custom-header.php +++ b/wp-admin/custom-header.php @@ -23,6 +23,7 @@ class Custom_Image_Header { function js() { if ( isset( $_POST['textcolor'] ) ) { + check_admin_referer('custom-header'); if ( 'blank' == $_POST['textcolor'] ) { set_theme_mod('header_textcolor', 'blank'); } else { @@ -31,8 +32,10 @@ class Custom_Image_Header { set_theme_mod('header_textcolor', $color); } } - if ( isset($_POST['resetheader']) ) + if ( isset($_POST['resetheader']) ) { + check_admin_referer('custom-header'); remove_theme_mods(); + } ?> <script type="text/javascript"> @@ -157,7 +160,7 @@ Event.observe( window, 'load', hide_text ); <h2><?php _e('Your Header Image'); ?></h2> <p><?php _e('This is your header image. You can change the text color or upload and crop a new image.'); ?></p> -<div id="headimg" style="background: url(<?php header_image() ?>) no-repeat;"> +<div id="headimg" style="background: url(<?php clean_url(header_image()) ?>) no-repeat;"> <h1><a onclick="return false;" href="<?php bloginfo('url'); ?>" title="<?php bloginfo('name'); ?>" id="name"><?php bloginfo('name'); ?></a></h1> <div id="desc"><?php bloginfo('description');?></div> </div> @@ -165,7 +168,8 @@ Event.observe( window, 'load', hide_text ); <form method="post" action="<?php echo get_option('siteurl') ?>/wp-admin/themes.php?page=custom-header&updated=true"> <input type="button" value="<?php _e('Hide Text'); ?>" onclick="hide_text()" id="hidetext" /> <input type="button" value="<?php _e('Select a Text Color'); ?>" onclick="colorSelect($('textcolor'), 'pickcolor')" id="pickcolor" /><input type="button" value="<?php _e('Use Original Color'); ?>" onclick="colorDefault()" id="defaultcolor" /> -<input type="hidden" name="textcolor" id="textcolor" value="#<?php header_textcolor() ?>" /><input name="submit" type="submit" value="<?php _e('Save Changes'); ?> »" /></form> +<?php wp_nonce_field('custom-header') ?> +<input type="hidden" name="textcolor" id="textcolor" value="#<?php attribute_escape(header_textcolor()) ?>" /><input name="submit" type="submit" value="<?php _e('Save Changes'); ?> »" /></form> <?php } ?> <div id="colorPickerDiv" style="z-index: 100;background:#eee;border:1px solid #ccc;position:absolute;visibility:hidden;"> </div> @@ -177,6 +181,7 @@ Event.observe( window, 'load', hide_text ); <form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo attribute_escape(add_query_arg('step', 2)) ?>" style="margin: auto; width: 50%;"> <label for="upload"><?php _e('Choose an image from your computer:'); ?></label><br /><input type="file" id="upload" name="import" /> <input type="hidden" name="action" value="save" /> +<?php wp_nonce_field('custom-header') ?> <p class="submit"> <input type="submit" value="<?php _e('Upload'); ?> »" /> </p> @@ -189,6 +194,7 @@ Event.observe( window, 'load', hide_text ); <h2><?php _e('Reset Header Image and Color'); ?></h2> <p><?php _e('This will restore the original header image and color. You will not be able to retrieve any customizations.') ?></p> <form method="post" action="<?php echo attribute_escape(add_query_arg('step', 1)) ?>"> +<?php wp_nonce_field('custom-header'); ?> <input type="submit" name="resetheader" value="<?php _e('Restore Original Header'); ?>" /> </form> </div> @@ -197,6 +203,7 @@ Event.observe( window, 'load', hide_text ); } function step_2() { + check_admin_referer('custom-header'); $overrides = array('test_form' => false); $file = wp_handle_upload($_FILES['import'], $overrides); @@ -222,7 +229,7 @@ Event.observe( window, 'load', hide_text ); list($width, $height, $type, $attr) = getimagesize( $file ); if ( $width == HEADER_IMAGE_WIDTH && $height == HEADER_IMAGE_HEIGHT ) { - set_theme_mod('header_image', $url); + set_theme_mod('header_image', clean_url($url)); $header = apply_filters('wp_create_file_in_uploads', $file, $id); // For replication return $this->finished(); } elseif ( $width > HEADER_IMAGE_WIDTH ) { @@ -256,6 +263,7 @@ Event.observe( window, 'load', hide_text ); <input type="hidden" name="height" id="height" /> <input type="hidden" name="attachment_id" id="attachment_id" value="<?php echo $id; ?>" /> <input type="hidden" name="oitar" id="oitar" value="<?php echo $oitar; ?>" /> +<?php wp_nonce_field('custom-header') ?> <input type="submit" value="<?php _e('Crop Header »'); ?>" /> </p> @@ -265,6 +273,7 @@ Event.observe( window, 'load', hide_text ); } function step_3() { + check_admin_referer('custom-header'); if ( $_POST['oitar'] > 1 ) { $_POST['x1'] = $_POST['x1'] * $_POST['oitar']; $_POST['y1'] = $_POST['y1'] * $_POST['oitar']; |