Add nonce to AJAX request

Automattic · Feb 6, 2020 · c48ffdb · c48ffdb
1 parent 8c57b4a
commit c48ffdb
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 0 deletions.
diff --git a/_inc/jetpack-jitm.js b/_inc/jetpack-jitm.js
@@ -188,6 +188,7 @@ jQuery( document ).ready( function( $ ) {
 			button.attr( 'disabled', true );
 			$.post( window.ajaxurl, {
 				action: button.data( 'ajax-action' ),
+				_nonce: $el.data( 'ajax-nonce' ),
 			} )
 				.done( function() {
 					$template.fadeOut( 'slow' );

diff --git a/modules/tos/jetpack-tos.php b/modules/tos/jetpack-tos.php
@@ -15,6 +15,8 @@
  * Makes a request to the WP.com legal endpoint to mark the Terms of Service as accepted.
  */
 function accept_tos() {
+	check_ajax_referer( 'wp_ajax_action', '_nonce' );
+
 	$response = Client::wpcom_json_api_request_as_user(
 		'/legal',
 		'2',

diff --git a/packages/jitm/src/class-jitm.php b/packages/jitm/src/class-jitm.php
@@ -344,6 +344,7 @@ public function ajax_message() {
 		?>
 		<div class="jetpack-jitm-message"
 			data-nonce="<?php echo esc_attr( wp_create_nonce( 'wp_rest' ) ); ?>"
+			data-ajax-nonce="<?php echo esc_attr( wp_create_nonce( 'wp_ajax_action' ) ); ?>"
 			data-message-path="<?php echo esc_attr( $message_path ); ?>"
 			data-query="<?php echo urlencode_deep( $query_string ); ?>"
 			data-redirect="<?php echo urlencode_deep( $current_screen ); ?>"