-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathpopups.php
More file actions
131 lines (119 loc) · 4.83 KB
/
popups.php
File metadata and controls
131 lines (119 loc) · 4.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
<?php
if ( function_exists( 'add_action' ) == false )
die( "Cheatin' eh?" );
function pd_video_shortcodes_help($video_form) {
return '
<table class="describe"><tbody>
<tr>
<th valign="top" scope="row" class="label">
<span class="alignleft"><label for="insertonly[href]">' . __('URL', 'polldaddy') . '</label></span>
<span class="alignright"><abbr title="required" class="required">*</abbr></span>
</th>
<td class="field"><input type="text" id="insertonly[href]" name="insertonly[href]" value="" /></td>
</tr>
<tr>
<td colspan="2">
<p>' . __('Paste your YouTube or Google Video URL above, or use the examples below.', 'polldaddy') . '</p>
<ul class="short-code-list">
<li>' . sprintf(
/* translators: %1$s is the URL to YouTube instructions, %2$s is the example shortcode */
__('<a href="%1$s" target="_blank">YouTube instructions</a> %2$s', 'polldaddy'),
'http://support.wordpress.com/videos/youtube/',
'<code>[youtube=http://www.youtube.com/watch?v=cXXm696UbKY]</code>'
) . '</li>
<li>' . sprintf(
/* translators: %1$s is the URL to Google Video instructions, %2$s is the example shortcode */
__('<a href="%1$s" target="_blank">Google instructions</a> %2$s', 'polldaddy'),
'http://support.wordpress.com/videos/google-video/',
'<code>[googlevideo=http://video.google.com/googleplayer.swf?docId=-8459301055248673864]</code>'
) . '</li>
<li>' . sprintf(
/* translators: %1$s is the URL to DailyMotion instructions, %2$s is the example shortcode */
__('<a href="%1$s" target="_blank">DailyMotion instructions</a> %2$s', 'polldaddy'),
'http://support.wordpress.com/videos/dailymotion/',
'<code>[dailymotion id=5zYRy1JLhuGlP3BGw]</code>'
) . '</li>
</ul>
</td>
</tr>
<tr>
<td></td>
<td>
<input type="submit" class="button" name="insertonlybutton" value="' . esc_attr( __('Insert into Poll', 'polldaddy') ) . '" />
</td>
</tr>
</tbody></table>
';
}
function pd_audio_shortcodes_help($audio_form) {
return '
<table class="describe"><tbody>
<tr>
<th valign="top" scope="row" class="label">
<span class="alignleft"><label for="insertonly[href]">' . __('Audio File URL', 'polldaddy') . '</label></span>
<span class="alignright"><abbr title="required" class="required">*</abbr></span>
</th>
<td class="field"><input id="insertonly[href]" name="insertonly[href]" value="" type="text" aria-required="true"></td>
</tr>
<tr>
<td></td>
<td>
<input type="submit" class="button" name="insertonlybutton" value="' . esc_attr( __('Insert into Poll', 'polldaddy') ) . '" />
</td>
</tr>
</tbody></table>
';
}
function pd_image_shortcodes_help($image_form) {
return '
<h4 class="media-sub-title">' . __('Insert an image from another web site', 'polldaddy') . '</h4>
<table class="describe"><tbody>
<tr>
<th valign="top" scope="row" class="label" style="width:130px;">
<span class="alignleft"><label for="src">' . __('Image URL', 'polldaddy') . '</label></span>
<span class="alignright"><abbr id="status_img" title="required" class="required">*</abbr></span>
</th>
<td class="field"><input id="src" name="src" value="" type="text" aria-required="true" onblur="addExtImage.getImageData()" /></td>
</tr>
<tr>
<th valign="top" scope="row" class="label">
<span class="alignleft"><label for="title">' . __('Image Title', 'polldaddy') . '</label></span>
<span class="alignright"><abbr title="required" class="required">*</abbr></span>
</th>
<td class="field"><input id="alt" name="alt" value="" type="hidden" /><input id="url" name="url" value="" type="hidden" /><input id="caption" name="caption" value="" type="hidden" /><input id="title" name="title" value="" type="text" aria-required="true" /></td>
</tr>
<tr>
<td></td>
<td>
<input type="button" value="' . esc_attr( __('Insert into Poll', 'polldaddy') ) . '" onclick="addExtImage.insert()" style="color: rgb(187, 187, 187);" id="go_button" class="button">
</td>
</tr>
</tbody></table>
';
}
function polldaddy_popups_init() {
// Only process polls_media requests
if ( ! isset( $_REQUEST['polls_media'] ) ) {
return;
}
// Security checks for CSRF vulnerability (CVE-2024-43338)
// Verify admin context
if ( ! is_admin() ) {
return;
}
// Verify user capability
if ( ! current_user_can( 'edit_posts' ) ) {
return;
}
// Verify nonce for CSRF protection
$nonce_action = get_polls_media_nonce();
if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpnonce'], $nonce_action ) ) {
return;
}
// All security checks passed, add the filters
add_filter( 'type_url_form_video', 'pd_video_shortcodes_help' );
add_filter( 'type_url_form_audio', 'pd_audio_shortcodes_help' );
add_filter( 'type_url_form_image', 'pd_image_shortcodes_help' );
}
add_action( 'admin_init', 'polldaddy_popups_init' );
?>