From e8f20b741cc1c8c551c8cd162fa9800efd4460cb Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Thu, 15 Mar 2012 12:50:18 +0000 Subject: [PATCH] Ensure no nonce or multipart_params get passed to the plupload_default_settings filter. see #19910. git-svn-id: https://develop.svn.wordpress.org/trunk@20187 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-includes/media.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/wp-includes/media.php b/wp-includes/media.php index e67563b87f..3a4123b58f 100644 --- a/wp-includes/media.php +++ b/wp-includes/media.php @@ -1452,13 +1452,6 @@ function wp_plupload_default_settings() { $max_upload_size = wp_max_upload_size(); - $params = array( - 'action' => 'upload-attachment', - ); - $params = apply_filters( 'plupload_default_params', $params ); - - $params['_wpnonce'] = wp_create_nonce( 'media-form' ); - $settings = array( 'runtimes' => 'html5,silverlight,flash,html4', 'file_data_name' => 'async-upload', // key passed to $_FILE. @@ -1470,11 +1463,18 @@ function wp_plupload_default_settings() { 'filters' => array( array( 'title' => __( 'Allowed Files' ), 'extensions' => '*') ), 'multipart' => true, 'urlstream_upload' => true, - 'multipart_params' => $params, ); $settings = apply_filters( 'plupload_default_settings', $settings ); + $params = array( + 'action' => 'upload-attachment', + ); + + $params = apply_filters( 'plupload_default_params', $params ); + $params['_wpnonce'] = wp_create_nonce( 'media-form' ); + $settings['multipart_params'] = $params; + $script = 'var wpPluploadDefaults = ' . json_encode( $settings ) . ';'; $data = $wp_scripts->get_data( 'wp-plupload', 'data' );