From 5ca2201554b347720a5f72a11e4b4c17e161100a Mon Sep 17 00:00:00 2001
From: Andrew Ozz <azaozz@git.wordpress.org>
Date: Wed, 17 Sep 2008 11:32:33 +0000
Subject: [PATCH] Add nonces to quick edit, see #6815

git-svn-id: https://develop.svn.wordpress.org/trunk@8917 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-admin/admin-ajax.php        | 17 +++++++---
 wp-admin/includes/template.php |  3 ++
 wp-admin/js/inline-edit.js     | 13 ++++----
 wp-admin/wp-admin.css          | 57 ++++++++++++++++++----------------
 4 files changed, 53 insertions(+), 37 deletions(-)

diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php
index 8b4b1628cc..9b36c10d5a 100644
--- a/wp-admin/admin-ajax.php
+++ b/wp-admin/admin-ajax.php
@@ -728,18 +728,27 @@ case 'sample-permalink':
 	die(get_sample_permalink_html($post_id, $title, $slug));
 break;
 case 'inline-data':
-	get_inline_data( explode(',', $_POST['posts']) );
+	check_ajax_referer( 'inlineeditnonce', 'inline_edit_nonce' );
+
+	if ( isset($_POST['posts']) )
+		get_inline_data( explode(',', $_POST['posts']) );
+
 	die();
 break;
 case 'inline-save':
+	check_ajax_referer( 'inlineeditnonce', 'inline_edit_nonce' );
+	
+	if ( ! isset($_POST['post_ID']) )
+		exit;
+	
 	inline_save_row( $_POST );
+	
+	$post = array();
 	if ( 'page' == $_POST['post_type'] ) {
-		$post = array();
 		$post[] = get_post($_POST['post_ID']);
-		page_rows( $post );
+		page_rows($post);
 	} elseif ( 'post' == $_POST['post_type'] ) {
 		$mode = $_POST['post_view'];
-		$post = array();
 		$post[] = get_post($_POST['post_ID']);
 		post_rows($post);
 	}
diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php
index 716b20d7fd..466e0fe500 100644
--- a/wp-admin/includes/template.php
+++ b/wp-admin/includes/template.php
@@ -496,6 +496,7 @@ function inline_edit_row( $type ) {
 				$attributes = "class=\"$type-title column-title\"" . $style;
 			?>
 				<td <?php echo $attributes ?>>
+					<?php wp_nonce_field( 'inlineeditnonce', 'inline_edit_nonce', false ) ?>
 					<div class="title">
 						<input type="text" name="post_title" class="title" value="" /><br />
 						<label><?php _e('Slug'); ?></label><input type="text" name="post_name" value="" class="slug" />
@@ -519,6 +520,7 @@ function inline_edit_row( $type ) {
 					</div>
 					<?php endif; ?>
 					<div class="clear"></div>
+					<div class="save">
 					<?php
 					$actions = array();
 					$actions['save'] = '<a href="#">' . __('Save') . '</a>';
@@ -531,6 +533,7 @@ function inline_edit_row( $type ) {
 						echo "<span class='$action'>$link$sep</span>";
 					}
 					?>
+					</div>
 				</td>
 				<?php
 				break;
diff --git a/wp-admin/js/inline-edit.js b/wp-admin/js/inline-edit.js
index d8328c1062..0e79720fba 100644
--- a/wp-admin/js/inline-edit.js
+++ b/wp-admin/js/inline-edit.js
@@ -51,8 +51,8 @@ function getInlineData(id) {
 	if(id == '') 
 		return false;
 	
-	jQuery.post('admin-ajax.php', 
-		{ 
+	jQuery.post('admin-ajax.php', {
+			'inline_edit_nonce': jQuery('#inline_edit_nonce').val(),
 			action: 'inline-data', 
 			posts: id 
 		}, 
@@ -79,7 +79,7 @@ function editRow(id) {
 
 	// add the new blank row
 	var editRow = blankRow.clone(true);
-	jQuery(editRow).attr('id', 'edit-'+id).addClass('inline').show();
+	jQuery(editRow).attr('id', 'edit-'+id).addClass('inline-editor').show();
 	if(jQuery('#'+postType+'-'+id).hasClass('alternate'))
 		jQuery(editRow).addClass('alternate');
 	jQuery('#'+postType+'-'+id).hide().after(editRow);
@@ -139,12 +139,13 @@ function saveRow(id) {
 	if(typeof(id) == 'object')
 	  id = getRowId(id);
 
-	jQuery('#edit-'+id+' .check-column').html('<img src="images/loading.gif" alt="Saving..." />');
+	jQuery('#edit-'+id+' .check-column').html('<img src="images/loading.gif" alt="" />');
 
 	var params = {
-		action:    'inline-save',
+		'inline_edit_nonce': jQuery('#inline_edit_nonce').val(),
+		action: 'inline-save',
 		post_type: postType,
-		post_ID:   id,
+		post_ID: id,
 		edit_date: 'true',
 		post_view: postView
 	};
diff --git a/wp-admin/wp-admin.css b/wp-admin/wp-admin.css
index e9878c32f2..6c3970ae49 100644
--- a/wp-admin/wp-admin.css
+++ b/wp-admin/wp-admin.css
@@ -2155,86 +2155,89 @@ a.togbox {
 
 
 /* Inline Editor */
-
-.inline {
-	font-size: 10px;
+.inline-editor {
+	font-size: 11px;
 }
 
-.inline td {
+.inline-editor .save {
+	padding-top: 5px;
+}
+
+.inline-editor td {
 	padding-right: 4px;
 	padding-left: 7px;
 }
 
-.inline input, .inline select, .inline textarea {
+.inline-editor input, .inline-editor select, .inline-editor textarea {
 	font-size: 10px !important;
 	padding: 2px;
 	border: 1px solid #ddd;
 }
 
-.inline td.date {
+.inline-editor td.date {
 	width: 87px;
 }
 
-.inline td.page-title {
+.inline-editor td.page-title {
 	width: 495px;
 }
 
-.inline td.post-title input.title {
+.inline-editor td.post-title input.title {
 	width: 250px;
 }
 
-.inline td.post-title input.slug {
+.inline-editor td.post-title input.slug {
 	width: 222px;
 	float: right;
 }
 
-.inline div.title {
+.inline-editor div.title {
 	float: left;
 }
 
-.inline div.title input.title {
+.inline-editor div.title input.title {
 	font-size: 12px !important;
 }
 
-.inline div.title label {
+.inline-editor div.title label {
 	float: left;
 	margin-top: 4px;
 }
 
-.inline td.page-title input.slug {
+.inline-editor td.page-title input.slug {
 	width: 123px;
 	float: right;
 }
 
-.inline div.other, .inline div.more {
+.inline-editor div.other, .inline-editor div.more {
 	width: 190px;
 	float: left;
 	padding-left: 5px;
 }
 
-.inline div.other label, .inline div.more label {
+.inline-editor div.other label, .inline-editor div.more label {
 	display: block; float: left;
 	width: 54px;
 	margin-top: 4px;
 }
 
-.inline div.other select {
+.inline-editor div.other select {
 	width: 133px;
 }
 
-.inline div.more {
+.inline-editor div.more {
 	width: 125px;
 }
 
-.inline div.more input {
+.inline-editor div.more input {
 	width: 60px;
 }
 
-.inline td.author select {
+.inline-editor td.author select {
 	width: 110px;
 }
 
-.inline ul.categories {
+.inline-editor ul.categories {
 	list-style: none;
 	padding: 0; margin: 0;
 	height: 65px;
@@ -2242,33 +2245,33 @@ a.togbox {
 	font-size: 10px;
 }
 
-.inline ul.categories ul.children {
+.inline-editor ul.categories ul.children {
 	list-style: none;
 	padding-left: 15px;
 }
 
-.inline ul.categories li {
+.inline-editor ul.categories li {
 	margin-bottom: 2px;
 }
 
-.inline ul.categories input {
+.inline-editor ul.categories input {
 	vertical-align: middle;
 	padding: 0; border: 0;
 }
 
-.inline td.tags textarea {
+.inline-editor td.tags textarea {
 	height: 58px; width: 100%;
 }
 
-.inline td.comments {
+.inline-editor td.comments {
 	padding-left: 0;
 }
 
-.inline td.status select {
+.inline-editor td.status select {
 	width: 98px;
 }
 
-.inline td.status input {
+.inline-editor td.status input {
 	vertical-align: middle;
 }