Issue #843: Add nonce verification for the editor message.

Use check_admin_referer(), as this will display the 'are you sure' message. Also , update the test.
ampproject · Feb 8, 2018 · 583a6bc · 583a6bc
1 parent 69317b8
commit 583a6bc
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 4 deletions.
diff --git a/includes/utils/class-amp-validation-utils.php b/includes/utils/class-amp-validation-utils.php
@@ -54,6 +54,20 @@ class AMP_Validation_Utils {
 	 */
 	const ERROR_QUERY_VALUE = '1';
 
+	/**
+	 * Nonce name for the editor error message.
+	 *
+	 * @var string.
+	 */
+	const ERROR_NONCE = 'amp_nonce';
+
+	/**
+	 * Nonce action for displaying the invalid AMP message.
+	 *
+	 * @var string.
+	 */
+	const ERROR_NONCE_ACTION = 'invalid_amp_message';
+
 	/**
 	 * The attributes that the sanitizer removed.
 	 *
@@ -300,11 +314,11 @@ public static function add_header() {
 	 * @return string $url The filtered URL, including the AMP error message query var.
 	 */
 	public static function error_message( $url ) {
-		return add_query_arg(
-			self::ERROR_QUERY_KEY,
-			self::ERROR_QUERY_VALUE,
-			$url
+		$args = array(
+			self::ERROR_QUERY_KEY => self::ERROR_QUERY_VALUE,
+			self::ERROR_NONCE     => wp_create_nonce( self::ERROR_NONCE_ACTION ),
 		);
+		return add_query_arg( $args, $url );
 	}
 
 	/**
@@ -316,6 +330,10 @@ public static function error_message( $url ) {
 	 * @return void.
 	 */
 	public static function display_error() {
+		if ( ! isset( $_GET[ self::ERROR_QUERY_KEY ] ) ) {
+			return;
+		}
+		check_admin_referer( self::ERROR_NONCE_ACTION, self::ERROR_NONCE );
 		$error = isset( $_GET[ self::ERROR_QUERY_KEY ] ) ? sanitize_text_field( wp_unslash( $_GET[ self::ERROR_QUERY_KEY ] ) ) : ''; // WPCS: CSRF ok.
 		if ( self::ERROR_QUERY_VALUE === $error ) {
 			printf( '<div class="notice notice-error"><p>%s</p></div>', esc_html__( 'Notice: this post fails AMP validation', 'amp' ) );

diff --git a/tests/test-class-amp-validation-utils.php b/tests/test-class-amp-validation-utils.php
@@ -340,6 +340,9 @@ public function test_error_message() {
 	 * @see AMP_Validation_Utils::display_error().
 	 */
 	public function test_display_error() {
+		wp_set_current_user( $this->factory()->user->create( array(
+			'role' => 'administrator',
+		) ) );
 		unset( $_GET[ AMP_Validation_Utils::ERROR_QUERY_KEY ] );
 		ob_start();
 		AMP_Validation_Utils::display_error();
@@ -348,6 +351,8 @@ public function test_display_error() {
 		$this->assertFalse( strpos( $output, 'Notice: your post fails AMP validation' ) );
 
 		$_GET[ AMP_Validation_Utils::ERROR_QUERY_KEY ] = AMP_Validation_Utils::ERROR_QUERY_VALUE;
+		$_REQUEST[ AMP_Validation_Utils::ERROR_NONCE ] = wp_create_nonce( AMP_Validation_Utils::ERROR_NONCE_ACTION );
+		$_REQUEST['_wp_http_referer']                  = admin_url();
 		ob_start();
 		AMP_Validation_Utils::display_error();
 		$output = ob_get_clean();