Ask your WordPress questions! Pay money and get answers fast! (more info)

Add WP NONCE Inside Plugin Option Page WordPress

I have very simple plugin options page. Somebody told me this admin options page is insecure and vulnerable XSS Attacks. He told me to add <strong>wordpress nonce</strong>, where I should put it? and how to make sure wordpress nonce works to prevent XSS Attacks?

<?php

/*
|--------------------------------------------------------------------------
| Sanitize and validate input.
|--------------------------------------------------------------------------
*/
function mmdia_validate_options($input) {
// strip html from textboxes
$input['text'] = wp_filter_nohtml_kses($input['text']);
$input['textarea'] = wp_filter_nohtml_kses($input['textarea']);
return $input;
}

function register_easy_setting() {
register_setting( 'e_options_group', 'media_opt', 'mmdia_validate_options' );
}
add_action( 'admin_init', 'register_easy_setting' );


/*
|--------------------------------------------------------------------------
| Update / Reset Options
|--------------------------------------------------------------------------
*/
function spgadmin() {
global $plugprefix, $opt;

if ( is_admin() && ( isset( $_GET['page'] ) == 'page_settings' ) && ( isset( $_GET['post_type'] ) == 'galleria' ) ){

if ( isset( $_REQUEST['action'] ) && 'save' == $_REQUEST['action'] ) {
$curtosv = get_option( 'media_opt' );
foreach ( $opt as $val ) {
$curtosv[ $val['id'] ] = $_REQUEST[ $val['id'] ];
update_option( 'media_opt', $curtosv ); }
header("Location: edit.php?post_type=galleria&page=page_settings&saved=true");
die;
}

else if ( isset( $_REQUEST['action'] ) && 'reset' == $_REQUEST['action'] ) {
restore_to_default($_REQUEST['action']);
header("Location: edit.php?post_type=galleria&page=page_settings&reset=true");
die;
}
}


add_submenu_page(
'edit.php?post_type=galleria',
__('Settings', 'mmdia' ),
__( 'Settings', 'mmdia' ),
'manage_options',
'page_settings',
'e_generate_form'
);

}


/*
|--------------------------------------------------------------------------
| ENQUEUE SCRIPTS/STYLES
|--------------------------------------------------------------------------
*/
if ( is_admin() && ( isset( $_GET['page'] ) == 'page_settings' ) && ( isset( $_GET['post_type'] ) == 'galleria' ) ){

add_action( 'admin_enqueue_scripts', 'e_cp_script' );

function e_cp_script() {
wp_enqueue_script( 'jquery-ui-core' );
wp_enqueue_script( 'jquery-ui-widget' );
wp_enqueue_script( 'jquery-ui-mouse' );
}
}


/*
|--------------------------------------------------------------------------
| MAIN FORM
|--------------------------------------------------------------------------
*/
function e_generate_form() {
global $plugprefix, $opt;
$i=0;

?>

<div id="main">
<form method="post">

<div class="sps_wrap">
<div class="sps_opts">


<?php settings_fields('e_options_group'); ?>

<?php foreach ( $opt as $val ) {
switch ( $val['type'] ) {
case "open":
?>
<?php break;
case "close":
?>

</div>
</div>
<br />


<?php break;
case 'text':
?>

<div class="sps_input sps_text">
<label for="<?php echo $val['id']; ?>"><?php echo $val['name']; ?></label>
<input name="<?php echo $val['id']; ?>" id="<?php echo $val['id']; ?>" type="<?php echo $val['type']; ?>" value="<?php if ( e_get_option( $val['id'] ) != "") { echo stripslashes( e_get_option( $val['id'] ) ); } else { echo $val['std']; } ?>" />
<small><?php echo $val['desc']; ?></small><div class="clearfix"></div>

</div>
<?php
break;



case 'textarea':
?>

<div class="sps_input sps_textarea">
<label for="<?php echo $val['id']; ?>"><?php echo $val['name']; ?></label>
<textarea style="vertical-align:top !important;" name="<?php echo $val['id']; ?>" type="<?php echo $val['type']; ?>" cols="" rows=""><?php if ( e_get_option( $val['id'] ) != "") { echo stripslashes(e_get_option( $val['id'] ) ); } else { echo $val['std']; } ?></textarea>
<small><?php echo $val['desc']; ?></small><div class="clearfix"></div>

</div>

<?php
break;


case 'select':
?>

<div class="sps_input sps_select">
<label for="<?php echo $val['id']; ?>"><?php echo $val['name']; ?></label>

<select name="<?php echo $val['id']; ?>" id="<?php echo $val['id']; ?>">
<?php foreach ( $val['options'] as $option ) { ?>
<option <?php if ( e_get_option( $val['id'] ) == $option) { echo 'selected="selected"'; } ?>><?php echo $option; ?></option><?php } ?>
</select>

<small><?php echo $val['desc']; ?></small><div class="clearfix"></div>
</div>
<?php
break;


case "section":
$i++;
?>

<div class="sps_section">
<div class="sps_title"><h3><img src="" class="inactive" alt="""><?php echo $val['name']; ?></h3><span class="submit"><input name="save<?php echo $i; ?>" type="submit" value="Save Changes" class="button button-primary" />
</span><div class="clearfix"></div></div>
<div class="sps_options">

<?php break;

}
}
?>

</div>
</div>

</form>

</div>


<?php
}

add_action('admin_menu', 'spgadmin');



?>

Answers (2)

2013-12-18

Balanean Corneliu answers:

Have all the info about nonce here : http://codex.wordpress.org/WordPress_Nonces

2013-12-19

Ryan S answers:

A great tutorial on improving security in WordPress using nonces http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces