hberberoglu · eliotfallon213 · Oct 22, 2015 · msdev20 · Feb 13, 2021
diff --git a/wp-favorite-posts.php b/wp-favorite-posts.php
@@ -71,6 +71,13 @@ function wpfp_add_favorite($post_id = "") {
         return false;
     }
 
+    if (is_user_logged_in() && wpfp_get_option('use_nonce_logged_in')) {
+        if(!check_ajax_referer('wpcf-addfav_use_nonce_logged_in', 'security', false)) {
+            wpfp_die_or_go(wpfp_get_option('text_only_registered') );
+            return false;
+        }
+    }
+
     if (wpfp_do_add_to_list($post_id)) {
         // added, now?
         do_action('wpfp_after_add', $post_id);
@@ -95,6 +102,14 @@ function wpfp_do_add_to_list($post_id) {
 
 function wpfp_remove_favorite($post_id = "") {
     if (empty($post_id)) $post_id = $_REQUEST['postid'];
+
+    if (is_user_logged_in() && wpfp_get_option('use_nonce_logged_in')) {
+        if(!check_ajax_referer('wpcf-removefav_use_nonce_logged_in', 'security', false)) {
+            wpfp_die_or_go(wpfp_get_option('text_only_registered') );
+            return false;
+        }
+    }
+
     if (wpfp_do_remove_favorite($post_id)) {
         // removed, now?
         do_action('wpfp_after_remove', $post_id);
@@ -135,12 +150,12 @@ function wpfp_check_favorited($cid) {
         if ($favorite_post_ids)
             foreach ($favorite_post_ids as $fpost_id)
                 if ($fpost_id == $cid) return true;
-	} else {
-	    if (wpfp_get_cookie()):
-	        foreach (wpfp_get_cookie() as $fpost_id => $val)
-	            if ($fpost_id == $cid) return true;
-	    endif;
-	}
+    } else {
+        if (wpfp_get_cookie()):
+            foreach (wpfp_get_cookie() as $fpost_id => $val)
+                if ($fpost_id == $cid) return true;
+        endif;
+    }
     return false;
 }
 
@@ -169,7 +184,12 @@ function wpfp_link( $return = 0, $action = "", $show_span = 1, $args = array() )
 }
 
 function wpfp_link_html($post_id, $opt, $action) {
-    $link = "<a class='wpfp-link' href='?wpfpaction=".$action."&amp;postid=". $post_id . "' title='". $opt ."' rel='nofollow'>". $opt ."</a>";
+    $securityText = '';
+    if (is_user_logged_in() && wpfp_get_option('use_nonce_logged_in')) {
+        $securityText = '&amp;security='.wp_create_nonce( "wpcf-".$action."fav_use_nonce_logged_in" );
+    }
+
+    $link = "<a class='wpfp-link' href='?wpfpaction=".$action.$securityText."&amp;postid=". $post_id . "' title='". $opt ."' rel='nofollow'>". $opt ."</a>";
     $link = apply_filters( 'wpfp_link_html', $link );
     return $link;
 }
@@ -184,13 +204,13 @@ function wpfp_get_users_favorites($user = "") {
     # collect favorites from cookie and if user is logged in from database.
     if (is_user_logged_in()):
         $favorite_post_ids = wpfp_get_user_meta();
-	else:
-	    if (wpfp_get_cookie()):
-	        foreach (wpfp_get_cookie() as $post_id => $post_title) {
-	            array_push($favorite_post_ids, $post_id);
-	        }
-	    endif;
-	endif;
+    else:
+        if (wpfp_get_cookie()):
+            foreach (wpfp_get_cookie() as $post_id => $post_title) {
+                array_push($favorite_post_ids, $post_id);
+            }
+        endif;
+    endif;
     return $favorite_post_ids;
 }
 
@@ -206,7 +226,7 @@ function wpfp_list_favorite_posts( $args = array() ) {
         $favorite_post_ids = wpfp_get_users_favorites();
     }
 
-	if ( @file_exists(TEMPLATEPATH.'/wpfp-page-template.php') || @file_exists(STYLESHEETPATH.'/wpfp-page-template.php') ):
+    if ( @file_exists(TEMPLATEPATH.'/wpfp-page-template.php') || @file_exists(STYLESHEETPATH.'/wpfp-page-template.php') ):
         if(@file_exists(TEMPLATEPATH.'/wpfp-page-template.php')) :
             include(TEMPLATEPATH.'/wpfp-page-template.php');
         else :
@@ -318,14 +338,14 @@ function wpfp_shortcode_func() {
 
 
 function wpfp_add_js_script() {
-	if (!wpfp_get_option('dont_load_js_file'))
-		wp_enqueue_script( "wp-favorite-posts", WPFP_PATH . "/wpfp.js", array( 'jquery' ) );
+    if (!wpfp_get_option('dont_load_js_file'))
+        wp_enqueue_script( "wp-favroite-posts", WPFP_PATH . "/wpfp.js", array( 'jquery' ) );
 }
 add_action('wp_print_scripts', 'wpfp_add_js_script');
 
 function wpfp_wp_print_styles() {
-	if (!wpfp_get_option('dont_load_css_file'))
-		echo "<link rel='stylesheet' id='wpfp-css' href='" . WPFP_PATH . "/wpfp.css' type='text/css' />" . "\n";
+    if (!wpfp_get_option('dont_load_css_file'))
+        echo "<link rel='stylesheet' id='wpfp-css' href='" . WPFP_PATH . "/wpfp.css' type='text/css' />" . "\n";
 }
 add_action('wp_print_styles', 'wpfp_wp_print_styles');
 
@@ -369,12 +389,12 @@ function wpfp_update_user_meta($arr) {
 }
 
 function wpfp_update_post_meta($post_id, $val) {
-	$oldval = wpfp_get_post_meta($post_id);
-	if ($val == -1 && $oldval == 0) {
-    	$val = 0;
-	} else {
-		$val = $oldval + $val;
-	}
+    $oldval = wpfp_get_post_meta($post_id);
+    if ($val == -1 && $oldval == 0) {
+        $val = 0;
+    } else {
+        $val = $oldval + $val;
+    }
     return add_post_meta($post_id, WPFP_META_KEY, $val, true) or update_post_meta($post_id, WPFP_META_KEY, $val);
 }
 
@@ -441,9 +461,15 @@ function wpfp_is_user_can_edit() {
 
 function wpfp_remove_favorite_link($post_id) {
     if (wpfp_is_user_can_edit()) {
+
+        $securityText = '';
+        if (is_user_logged_in() && wpfp_get_option('use_nonce_logged_in')) {
+            $securityText = '&amp;security='.wp_create_nonce( "wpcf-removefav_use_nonce_logged_in" );
+        }
+
         $wpfp_options = wpfp_get_options();
         $class = 'wpfp-link remove-parent';
-        $link = "<a id='rem_$post_id' class='$class' href='?wpfpaction=remove&amp;page=1&amp;postid=". $post_id ."' title='".wpfp_get_option('rem')."' rel='nofollow'>".wpfp_get_option('rem')."</a>";
+        $link = "<a id='rem_$post_id' class='$class' href='?wpfpaction=remove'.$securityText.'&amp;page=1&amp;postid=". $post_id ."' title='".wpfp_get_option('rem')."' rel='nofollow'>".wpfp_get_option('rem')."</a>";
         $link = apply_filters( 'wpfp_remove_favorite_link', $link );
         echo $link;
     }

diff --git a/wpfp-admin.php b/wpfp-admin.php
@@ -1,30 +1,30 @@
 <?php
 $wpfp_options = get_option('wpfp_options');
 if ( isset($_POST['submit']) ) {
-	if ( function_exists('current_user_can') && !current_user_can('manage_options') )
-		die(__('Cheatin&#8217; uh?'));
+    if ( function_exists('current_user_can') && !current_user_can('manage_options') )
+        die(__('Cheatin&#8217; uh?'));
 
     if (isset($_POST['show_remove_link']) && $_POST['show_remove_link'] == 'show_remove_link')
         $_POST['added'] = 'show remove link';
 
     if (isset($_POST['show_add_link']) && $_POST['show_add_link'] == 'show_add_link')
         $_POST['removed'] = 'show add link';
 
-	$wpfp_options['add_favorite'] = htmlspecialchars($_POST['add_favorite']);
-	$wpfp_options['added'] = htmlspecialchars($_POST['added']);
-	$wpfp_options['remove_favorite'] = htmlspecialchars($_POST['remove_favorite']);
-	$wpfp_options['removed'] = htmlspecialchars($_POST['removed']);
-	$wpfp_options['clear'] = htmlspecialchars($_POST['clear']);
-	$wpfp_options['cleared'] = htmlspecialchars($_POST['cleared']);
-	$wpfp_options['favorites_empty'] = htmlspecialchars($_POST['favorites_empty']);
-	$wpfp_options['rem'] = htmlspecialchars($_POST['rem']);
-	$wpfp_options['cookie_warning'] = htmlspecialchars($_POST['cookie_warning']);
-	$wpfp_options['text_only_registered'] = htmlspecialchars($_POST['text_only_registered']);
-	$wpfp_options['statistics'] = htmlspecialchars($_POST['statistics']);
-	$wpfp_options['before_image'] = htmlspecialchars($_POST['before_image']);
-	$wpfp_options['custom_before_image'] = htmlspecialchars($_POST['custom_before_image']);
-	$wpfp_options['autoshow'] = htmlspecialchars($_POST['autoshow']);
-	$wpfp_options['post_per_page'] = htmlspecialchars($_POST['post_per_page']);
+    $wpfp_options['add_favorite'] = htmlspecialchars($_POST['add_favorite']);
+    $wpfp_options['added'] = htmlspecialchars($_POST['added']);
+    $wpfp_options['remove_favorite'] = htmlspecialchars($_POST['remove_favorite']);
+    $wpfp_options['removed'] = htmlspecialchars($_POST['removed']);
+    $wpfp_options['clear'] = htmlspecialchars($_POST['clear']);
+    $wpfp_options['cleared'] = htmlspecialchars($_POST['cleared']);
+    $wpfp_options['favorites_empty'] = htmlspecialchars($_POST['favorites_empty']);
+    $wpfp_options['rem'] = htmlspecialchars($_POST['rem']);
+    $wpfp_options['cookie_warning'] = htmlspecialchars($_POST['cookie_warning']);
+    $wpfp_options['text_only_registered'] = htmlspecialchars($_POST['text_only_registered']);
+    $wpfp_options['statistics'] = htmlspecialchars($_POST['statistics']);
+    $wpfp_options['before_image'] = htmlspecialchars($_POST['before_image']);
+    $wpfp_options['custom_before_image'] = htmlspecialchars($_POST['custom_before_image']);
+    $wpfp_options['autoshow'] = htmlspecialchars($_POST['autoshow']);
+    $wpfp_options['post_per_page'] = htmlspecialchars($_POST['post_per_page']);
 
     $wpfp_options['dont_load_js_file'] = '';
     if (isset($_POST['dont_load_js_file']))
@@ -38,23 +38,27 @@
     if (isset($_POST['opt_only_registered']))
         $wpfp_options['opt_only_registered'] = htmlspecialchars($_POST['opt_only_registered']);
 
+    $wpfp_options['use_nonce_logged_in'] = '';
+    if (isset($_POST['use_nonce_logged_in']))
+        $wpfp_options['use_nonce_logged_in'] = htmlspecialchars($_POST['use_nonce_logged_in']);
+
     update_option('wpfp_options', $wpfp_options);
 }
 $message = "";
 if ( isset($_GET['action'] ) ) {
-	if ($_GET['action'] == 'reset-statistics') {
-		global $wpdb;
-		    $results = $wpdb->get_results($query);
-		$query = "DELETE FROM $wpdb->postmeta WHERE meta_key = 'wpfp_favorites'";
-		
-		$message = '<div class="updated below-h2" id="message"><p>';
-		if ($wpdb->query($query)) {
-			$message .= "All statistic data about wp favorite posts plugin have been <strong>deleted</strong>.";
-		} else {
-			$message .= "Something gone <strong>wrong</strong>. Data couldn't delete. Maybe thre isn't any data to delete?";
-		}	
-		$message .= '</p></div>';
-	}
+    if ($_GET['action'] == 'reset-statistics') {
+        global $wpdb;
+            $results = $wpdb->get_results($query);
+        $query = "DELETE FROM $wpdb->postmeta WHERE meta_key = 'wpfp_favorites'";
+
+        $message = '<div class="updated below-h2" id="message"><p>';
+        if ($wpdb->query($query)) {
+            $message .= "All statistic data about wp favorite posts plugin have been <strong>deleted</strong>.";
+        } else {
+            $message .= "Something gone <strong>wrong</strong>. Data couldn't delete. Maybe thre isn't any data to delete?";
+        }
+        $message .= '</p></div>';
+    }
 }
 ?>
 <?php if ( !empty($_POST ) ) : ?>
@@ -67,10 +71,10 @@
 <div class="meta-box-sortables">
 <script>
 jQuery(document).ready(function($) {
-	$('.postbox').children('h3, .handlediv').click(function(){ $(this).siblings('.inside').toggle();});
-	$('#wpfp-reset-statistics').click(function(){
-		return confirm('All statistic data will be deleted, are you sure ?');
-		});
+    $('.postbox').children('h3, .handlediv').click(function(){ $(this).siblings('.inside').toggle();});
+    $('#wpfp-reset-statistics').click(function(){
+        return confirm('All statistic data will be deleted, are you sure ?');
+        });
 });
 </script>
 <div class="postbox">
@@ -163,13 +167,13 @@
                     <label for="stats-disabled"><input type="radio" name="statistics" id="stats-disabled" value="0" <?php if (!$wpfp_options['statistics']) echo "checked='checked'" ?> /> Disabled</label>
                 </td>
             </tr>
-        	<tr><td></td>
+            <tr><td></td>
                 <td>
-                	<div class="submitbox">
-	                	<div id="delete-action">
-						<a href="?page=wp-favorite-posts&amp;action=reset-statistics" id="wpfp-reset-statistics" class="submitdelete deletion">Reset Statistic Data</a>
-						</div>
-					</div>
+                    <div class="submitbox">
+                        <div id="delete-action">
+                        <a href="?page=wp-favorite-posts&amp;action=reset-statistics" id="wpfp-reset-statistics" class="submitdelete deletion">Reset Statistic Data</a>
+                        </div>
+                    </div>
                 </td>
             </tr>
             <tr>
@@ -204,16 +208,16 @@
             </tr>
             <tr>
                 <th><?php _e("Text for added", "wp-favorite-posts") ?></th><td><input type="checkbox"  <?php if ($wpfp_options['added'] == 'show remove link') echo "checked='checked'"; ?> name="show_remove_link" onclick="jQuery('#added').val(''); jQuery('#added').toggle();" value="show_remove_link" id="show_remove_link" /> <label for="show_remove_link">Show remove link</label>
-				<br /><input id="added" type="text" name="added" <?php if ($wpfp_options['added'] == 'show remove link') echo "style='display:none;'"; ?> value="<?php echo stripslashes($wpfp_options['added']); ?>" /></td>
+                <br /><input id="added" type="text" name="added" <?php if ($wpfp_options['added'] == 'show remove link') echo "style='display:none;'"; ?> value="<?php echo stripslashes($wpfp_options['added']); ?>" /></td>
             </tr>
             <tr>
                 <th><?php _e("Text for remove link", "wp-favorite-posts") ?></th><td><input type="text" name="remove_favorite" value="<?php echo stripslashes($wpfp_options['remove_favorite']); ?>" /></td>
             </tr>
             <tr>
                 <th><?php _e("Text for removed", "wp-favorite-posts") ?></th>
-				<td><input type="checkbox" <?php if ($wpfp_options['removed'] == 'show add link') echo "checked='checked'"; ?> name="show_add_link" id="show_add_link" onclick="jQuery('#removed').val(''); jQuery('#removed').toggle();" value='show_add_link' /> <label for="show_add_link">Show add link</label>
-				<br />
-				<input id="removed" type="text" name="removed" <?php if ($wpfp_options['removed'] == 'show add link') echo "style='display:none;'"; ?> value="<?php echo stripslashes($wpfp_options['removed']); ?>" /></td>
+                <td><input type="checkbox" <?php if ($wpfp_options['removed'] == 'show add link') echo "checked='checked'"; ?> name="show_add_link" id="show_add_link" onclick="jQuery('#removed').val(''); jQuery('#removed').toggle();" value='show_add_link' /> <label for="show_add_link">Show add link</label>
+                <br />
+                <input id="removed" type="text" name="removed" <?php if ($wpfp_options['removed'] == 'show add link') echo "style='display:none;'"; ?> value="<?php echo stripslashes($wpfp_options['removed']); ?>" /></td>
             </tr>
             <tr>
                 <th><?php _e("Text for clear link", "wp-favorite-posts") ?></th><td><input type="text" name="clear" value="<?php echo stripslashes($wpfp_options['clear']); ?>" /></td>
@@ -256,7 +260,10 @@
             </tr>
             <tr>
                 <td><input type="checkbox" value="1" <?php if ($wpfp_options['dont_load_css_file'] == '1') echo "checked='checked'"; ?> name="dont_load_css_file" id="dont_load_css_file" /> <label for="dont_load_css_file">Don't load css file</label></td>
-            </tr>			
+            </tr>
+            <tr>
+                <td><input type="checkbox" value="1" <?php if ($wpfp_options['use_nonce_logged_in'] == '1') echo "checked='checked'"; ?> name="use_nonce_logged_in" id="use_nonce_logged_in" /> <label for="use_nonce_logged_in">Use nonces for logged in users</label></td>
+            </tr>
             <tr>
                 <td>
                     <input type="submit" name="submit" class="button button-primary" value="<?php _e('Update options &raquo;'); ?>" />