switch($action) {
case 'post':
- check_admin_referer();
+ check_admin_referer('add-post');
$post_ID = write_post();
break;
}
} else {
- $location = 'post.php?posted=true';
+ $location = "post.php?posted=$post_ID";
}
if ( 'static' == $_POST['post_status'] )
- $location = "page-new.php?saved=true";
+ $location = "page-new.php?saved=$post_ID";
if ( isset($_POST['save']) )
$location = "post.php?action=edit&post=$post_ID";
- header("Location: $location");
+ wp_redirect($location);
exit();
break;
?>
<div id='preview' class='wrap'>
<h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?> <small class="quickjump"><a href="#write-post"><?php _e('edit ↑'); ?></a></small></h2>
- <iframe src="<?php echo add_query_arg('preview', 'true', get_permalink($post->ID)); ?>" width="100%" height="600" ></iframe>
+ <iframe src="<?php echo clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
</div>
<?php
break;
case 'editattachment':
- check_admin_referer();
-
$post_id = (int) $_POST['post_ID'];
+ check_admin_referer('update-attachment_' . $post_id);
+
// Don't let these be changed
unset($_POST['guid']);
$_POST['post_status'] = 'attachment';
add_post_meta($post_id, '_wp_attachment_metadata', $newmeta);
case 'editpost':
- check_admin_referer();
+ $post_ID = (int) $_POST['post_ID'];
+ check_admin_referer('update-post_' . $post_ID);
$post_ID = edit_post();
+ $referredby = '';
+ if ( !empty($_POST['referredby']) )
+ $referredby = preg_replace('|https?://[^/]+|i', '', $_POST['referredby']);
+ $referer = preg_replace('|https?://[^/]+|i', '', wp_get_referer());
+
if ($_POST['save']) {
- $location = $_SERVER['HTTP_REFERER'];
+ $location = wp_get_referer();
} elseif ($_POST['updatemeta']) {
- $location = $_SERVER['HTTP_REFERER'] . '&message=2#postcustom';
+ $location = wp_get_referer() . '&message=2#postcustom';
} elseif ($_POST['deletemeta']) {
- $location = $_SERVER['HTTP_REFERER'] . '&message=3#postcustom';
- } elseif (isset($_POST['referredby']) && $_POST['referredby'] != $_SERVER['HTTP_REFERER']) {
+ $location = wp_get_referer() . '&message=3#postcustom';
+ } elseif (!empty($referredby) && $referredby != $referer) {
$location = $_POST['referredby'];
if ( $_POST['referredby'] == 'redo' )
$location = get_permalink( $post_ID );
} else {
$location = 'post.php';
}
- header ('Location: ' . $location); // Send user on their way while we keep working
+
+ wp_redirect($location); // Send user on their way while we keep working
exit();
break;
case 'delete':
- check_admin_referer();
-
$post_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']);
$post = & get_post($post_id);
-
+ if ( 'static' == $post->post_status )
+ check_admin_referer('delete-page_' . $post_id);
+ else
+ check_admin_referer('delete-post_' . $post_id);
+
if ( !current_user_can('edit_post', $post_id) )
die( __('You are not allowed to delete this post.') );
die( __('Error in deleting...') );
}
- $sendback = $_SERVER['HTTP_REFERER'];
- if (strstr($sendback, 'post.php')) $sendback = get_settings('siteurl') .'/wp-admin/post.php';
- elseif (strstr($sendback, 'attachments.php')) $sendback = get_settings('siteurl') .'/wp-admin/attachments.php';
- $sendback = preg_replace('|[^a-z0-9-~+_.?#=&;,/:]|i', '', $sendback);
- header ('Location: ' . $sendback);
+ $sendback = wp_get_referer();
+ if ( 'static' == $post->post_status )
+ $sendback = get_option('siteurl') . '/wp-admin/edit-pages.php';
+ elseif ( strstr($sendback, 'post.php') )
+ $sendback = get_option('siteurl') .'/wp-admin/post.php';
+ elseif ( strstr($sendback, 'attachments.php') )
+ $sendback = get_option('siteurl') .'/wp-admin/attachments.php';
+ wp_redirect($sendback);
break;
case 'editcomment':
$comment = (int) $_GET['comment'];
$p = (int) $_GET['p'];
- if ( ! $comment = get_comment($comment) )
+ if ( ! $comment = get_comment_to_edit($comment) )
die(sprintf(__('Oops, no comment with this ID. <a href="%s">Go back</a>!'), 'edit.php'));
if ( !current_user_can('edit_post', $comment->comment_post_ID) )
echo "<input type='hidden' name='p' value='$p' />\n";
echo "<input type='hidden' name='comment' value='{$comment->comment_ID}' />\n";
echo "<input type='hidden' name='noredir' value='1' />\n";
+ wp_nonce_field('delete-comment_' . $comment->comment_ID);
echo "<input type='submit' value='" . __('Yes') . "' />";
echo " ";
echo "<input type='button' value='" . __('No') . "' onclick=\"self.location='". get_settings('siteurl') ."/wp-admin/edit.php?p=$p&c=1#comments';\" />\n";
break;
case 'deletecomment':
-
- check_admin_referer();
-
$comment = (int) $_GET['comment'];
+ check_admin_referer('delete-comment_' . $comment);
+
$p = (int) $_GET['p'];
if (isset($_GET['noredir'])) {
$noredir = true;
wp_set_comment_status($comment->comment_ID, "delete");
do_action('delete_comment', $comment->comment_ID);
- if (($_SERVER['HTTP_REFERER'] != "") && (false == $noredir)) {
- header('Location: ' . $_SERVER['HTTP_REFERER']);
+ if ((wp_get_referer() != "") && (false == $noredir)) {
+ wp_redirect(wp_get_referer());
} else {
- header('Location: '. get_settings('siteurl') .'/wp-admin/edit.php?p='.$p.'&c=1#comments');
+ wp_redirect(get_settings('siteurl') .'/wp-admin/edit.php?p='.$p.'&c=1#comments');
}
break;
case 'unapprovecomment':
-
- check_admin_referer();
-
$comment = (int) $_GET['comment'];
+ check_admin_referer('unapprove-comment_' . $comment);
+
$p = (int) $_GET['p'];
if (isset($_GET['noredir'])) {
$noredir = true;
wp_set_comment_status($comment->comment_ID, "hold");
- if (($_SERVER['HTTP_REFERER'] != "") && (false == $noredir)) {
- header('Location: ' . $_SERVER['HTTP_REFERER']);
+ if ((wp_get_referer() != "") && (false == $noredir)) {
+ wp_redirect(wp_get_referer());
} else {
- header('Location: '. get_settings('siteurl') .'/wp-admin/edit.php?p='.$p.'&c=1#comments');
+ wp_redirect(get_settings('siteurl') .'/wp-admin/edit.php?p='.$p.'&c=1#comments');
}
break;
case 'mailapprovecomment':
-
$comment = (int) $_GET['comment'];
+ check_admin_referer('approve-comment_' . $comment);
if ( ! $comment = get_comment($comment) )
die(sprintf(__('Oops, no comment with this ID. <a href="%s">Go back</a>!'), 'edit.php'));
wp_notify_postauthor($comment->comment_ID);
}
- header('Location: ' . get_option('siteurl') . '/wp-admin/moderation.php?approved=1');
+ wp_redirect(get_option('siteurl') . '/wp-admin/moderation.php?approved=1');
break;
case 'approvecomment':
-
$comment = (int) $_GET['comment'];
+ check_admin_referer('approve-comment_' . $comment);
+
$p = (int) $_GET['p'];
if (isset($_GET['noredir'])) {
$noredir = true;
}
- if (($_SERVER['HTTP_REFERER'] != "") && (false == $noredir)) {
- header('Location: ' . $_SERVER['HTTP_REFERER']);
+ if ((wp_get_referer() != "") && (false == $noredir)) {
+ wp_redirect(wp_get_referer());
} else {
- header('Location: '. get_settings('siteurl') .'/wp-admin/edit.php?p='.$p.'&c=1#comments');
+ wp_redirect(get_settings('siteurl') .'/wp-admin/edit.php?p='.$p.'&c=1#comments');
}
break;
case 'editedcomment':
- edit_comment();
+ $comment_ID = (int) $_POST['comment_ID'];
+ $comment_post_ID = (int) $_POST['comment_post_ID'];
- $referredby = $_POST['referredby'];
- if (!empty($referredby)) {
- header('Location: ' . $referredby);
- } else {
- header ("Location: edit.php?p=$comment_post_ID&c=1#comments");
- }
+ check_admin_referer('update-comment_' . $comment_ID);
+
+ edit_comment();
+ $location = ( empty($_POST['referredby']) ? "edit.php?p=$comment_post_ID&c=1" : $_POST['referredby'] ) . '#comment-' . $comment_ID;
+ $location = apply_filters('comment_edit_redirect', $location, $comment_ID);
+ wp_redirect($location);
+ exit();
break;
default:
require_once ('./admin-header.php');
?>
<?php if ( isset($_GET['posted']) ) : ?>
-<div id="message" class="updated fade"><p><?php printf(__('Post saved. <a href="%s">View site »</a>'), get_bloginfo('home') . '/'); ?></p></div>
+<div id="message" class="updated fade"><p><strong><?php _e('Post saved.'); ?></strong> <a href="<?php echo get_permalink( $_GET['posted'] ); ?>"><?php _e('View post'); ?> »</a></p></div>
<?php endif; ?>
<?php
if ( current_user_can('edit_posts') ) {
include('edit-form-advanced.php');
?>
-<div class="wrap">
+<div id="wp-bookmarklet" class="wrap">
<?php echo '<h3>'.__('WordPress bookmarklet').'</h3>
<p>'.__('Right click on the following link and choose "Add to favorites" to create a posting shortcut.').'</p>'; ?>
<p>