bbp_verify_nonce_request( string $action = '', string $query_arg = '_wpnonce' )
Makes sure the user requested an action from another page on this site.
Description
To avoid security exploits within the theme.
Parameters
- $action
-
(Optional) Action nonce
Default value: ''
- $query_arg
-
(Optional) where to look for nonce in $_REQUEST
Default value: '_wpnonce'
Source
File: bp-forums/common/functions.php
1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 | function bbp_verify_nonce_request( $action = '', $query_arg = '_wpnonce' ) { /** Home URL **************************************************************/ // Parse home_url() into pieces to remove query-strings, strange characters, // and other funny things that plugins might to do to it. $parsed_home = parse_url( home_url( '/', ( is_ssl() ? 'https' : 'http' ) ) ); // Maybe include the port, if it's included if ( isset( $parsed_home['port'] ) ) { $parsed_host = $parsed_home['host'] . ':' . $parsed_home['port']; } else { $parsed_host = $parsed_home['host']; } // Set the home URL for use in comparisons $home_url = trim( strtolower( $parsed_home['scheme'] . '://' . $parsed_host . $parsed_home['path'] ), '/' ); /** Requested URL *********************************************************/ // Maybe include the port, if it's included in home_url(). if ( isset( $parsed_home['port'] ) && false === strpos( $_SERVER['HTTP_HOST'], ':' ) ) { $request_host = $_SERVER['HTTP_HOST'] . ':' . $_SERVER['SERVER_PORT']; } else { $request_host = $_SERVER['HTTP_HOST']; } // Build the currently requested URL $requested_url = strtolower( $scheme . $request_host . $_SERVER['REQUEST_URI'] ); /** Look for match ********************************************************/ // Filter the requested URL, for configurations like reverse proxying $matched_url = apply_filters( 'bbp_verify_nonce_request_url', $requested_url ); // Check the nonce $result = isset( $_REQUEST[$query_arg] ) ? wp_verify_nonce( $_REQUEST[$query_arg], $action ) : false; // Nonce check failed if ( empty( $result ) || empty( $action ) || ( strpos( $matched_url, $home_url ) !== 0 ) ) { $result = false; } // Do extra things do_action( 'bbp_verify_nonce_request', $action, $result ); return $result;} |
Changelog
| Version | Description |
|---|---|
| bbPress (r4022) | Introduced. |
Questions?
We're always happy to help with code or other questions you might have! Search our developer docs, contact support, or connect with our sales team.