Add WP NONCE Inside Plugin Option Page WordPress
I have very simple plugin options page. Somebody told me this admin options page is insecure and vulnerable XSS Attacks. He told me to add <strong>wordpress nonce</strong>, where I should put it? and how to make sure wordpress nonce works to prevent XSS Attacks?
<?php
/*
|--------------------------------------------------------------------------
| Sanitize and validate input.
|--------------------------------------------------------------------------
*/
function mmdia_validate_options($input) {
// strip html from textboxes
$input['text'] = wp_filter_nohtml_kses($input['text']);
$input['textarea'] = wp_filter_nohtml_kses($input['textarea']);
return $input;
}
function register_easy_setting() {
register_setting( 'e_options_group', 'media_opt', 'mmdia_validate_options' );
}
add_action( 'admin_init', 'register_easy_setting' );
/*
|--------------------------------------------------------------------------
| Update / Reset Options
|--------------------------------------------------------------------------
*/
function spgadmin() {
global $plugprefix, $opt;
if ( is_admin() && ( isset( $_GET['page'] ) == 'page_settings' ) && ( isset( $_GET['post_type'] ) == 'galleria' ) ){
if ( isset( $_REQUEST['action'] ) && 'save' == $_REQUEST['action'] ) {
$curtosv = get_option( 'media_opt' );
foreach ( $opt as $val ) {
$curtosv[ $val['id'] ] = $_REQUEST[ $val['id'] ];
update_option( 'media_opt', $curtosv ); }
header("Location: edit.php?post_type=galleria&page=page_settings&saved=true");
die;
}
else if ( isset( $_REQUEST['action'] ) && 'reset' == $_REQUEST['action'] ) {
restore_to_default($_REQUEST['action']);
header("Location: edit.php?post_type=galleria&page=page_settings&reset=true");
die;
}
}
add_submenu_page(
'edit.php?post_type=galleria',
__('Settings', 'mmdia' ),
__( 'Settings', 'mmdia' ),
'manage_options',
'page_settings',
'e_generate_form'
);
}
/*
|--------------------------------------------------------------------------
| ENQUEUE SCRIPTS/STYLES
|--------------------------------------------------------------------------
*/
if ( is_admin() && ( isset( $_GET['page'] ) == 'page_settings' ) && ( isset( $_GET['post_type'] ) == 'galleria' ) ){
add_action( 'admin_enqueue_scripts', 'e_cp_script' );
function e_cp_script() {
wp_enqueue_script( 'jquery-ui-core' );
wp_enqueue_script( 'jquery-ui-widget' );
wp_enqueue_script( 'jquery-ui-mouse' );
}
}
/*
|--------------------------------------------------------------------------
| MAIN FORM
|--------------------------------------------------------------------------
*/
function e_generate_form() {
global $plugprefix, $opt;
$i=0;
?>
<div id="main">
<form method="post">
<div class="sps_wrap">
<div class="sps_opts">
<?php settings_fields('e_options_group'); ?>
<?php foreach ( $opt as $val ) {
switch ( $val['type'] ) {
case "open":
?>
<?php break;
case "close":
?>
</div>
</div>
<br />
<?php break;
case 'text':
?>
<div class="sps_input sps_text">
<label for="<?php echo $val['id']; ?>"><?php echo $val['name']; ?></label>
<input name="<?php echo $val['id']; ?>" id="<?php echo $val['id']; ?>" type="<?php echo $val['type']; ?>" value="<?php if ( e_get_option( $val['id'] ) != "") { echo stripslashes( e_get_option( $val['id'] ) ); } else { echo $val['std']; } ?>" />
<small><?php echo $val['desc']; ?></small><div class="clearfix"></div>
</div>
<?php
break;
case 'textarea':
?>
<div class="sps_input sps_textarea">
<label for="<?php echo $val['id']; ?>"><?php echo $val['name']; ?></label>
<textarea style="vertical-align:top !important;" name="<?php echo $val['id']; ?>" type="<?php echo $val['type']; ?>" cols="" rows=""><?php if ( e_get_option( $val['id'] ) != "") { echo stripslashes(e_get_option( $val['id'] ) ); } else { echo $val['std']; } ?></textarea>
<small><?php echo $val['desc']; ?></small><div class="clearfix"></div>
</div>
<?php
break;
case 'select':
?>
<div class="sps_input sps_select">
<label for="<?php echo $val['id']; ?>"><?php echo $val['name']; ?></label>
<select name="<?php echo $val['id']; ?>" id="<?php echo $val['id']; ?>">
<?php foreach ( $val['options'] as $option ) { ?>
<option <?php if ( e_get_option( $val['id'] ) == $option) { echo 'selected="selected"'; } ?>><?php echo $option; ?></option><?php } ?>
</select>
<small><?php echo $val['desc']; ?></small><div class="clearfix"></div>
</div>
<?php
break;
case "section":
$i++;
?>
<div class="sps_section">
<div class="sps_title"><h3><img src="" class="inactive" alt="""><?php echo $val['name']; ?></h3><span class="submit"><input name="save<?php echo $i; ?>" type="submit" value="Save Changes" class="button button-primary" />
</span><div class="clearfix"></div></div>
<div class="sps_options">
<?php break;
}
}
?>
</div>
</div>
</form>
</div>
<?php
}
add_action('admin_menu', 'spgadmin');
?>
Answers (2)
Balanean Corneliu answers:
Have all the info about nonce here : http://codex.wordpress.org/WordPress_Nonces
Ryan S answers:
A great tutorial on improving security in WordPress using nonces http://www.prelovac.com/vladimir/improving-security-in-wordpress-plugins-using-nonces