Skip to:
Content

bbPress.org


Ignore:
Timestamp:
12/20/2017 04:43:09 PM (8 years ago)
Author:
johnjamesjacoby
Message:

Ajax: send a proper 400 response when nothing happens.

This change adds nocache and noindex headers to theme-side AJAX handling, adds support for pre-sanitized $action parameters, and checks that the action-hook actually has actions hooked to it before attempting to execute it.

Similar to admin-ajax.php a 400 response is now returned when an AJAX request is attempted that does not have a handler.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/includes/common/ajax.php

    r6745 r6755  
    5757 * theme-side AJAX handler.
    5858 *
     59 * This is largely taken from admin-ajax.php, but adapted specifically for
     60 * theme-side bbPress-only AJAX requests.
     61 *
    5962 * @since 2.3.0 bbPress (r4543)
     63 *
     64 * @param string $action Sanitized action from bbp_post_request/bbp_get_request
    6065 *
    6166 * @return If not a bbPress AJAX request
    6267 */
    63 function bbp_do_ajax() {
     68function bbp_do_ajax( $action = '' ) {
    6469
    65     // Bail if not an AJAX request
     70    // Bail if not a bbPress specific AJAX request
    6671    if ( ! bbp_is_ajax() ) {
    6772        return;
     
    7378    // Set the header content type
    7479    @header( 'Content-Type: ' . get_option( 'html_type' ) . '; charset=' . get_option( 'blog_charset' ) );
     80    @header( 'X-Robots-Tag: noindex' );
    7581
    7682    // Disable content sniffing in browsers that support it
    7783    send_nosniff_header();
    7884
     85    // Disable browser caching for
     86    nocache_headers();
     87
     88    // Compat for targeted action hooks (without $action param)
     89    $action = empty( $action )
     90        ? sanitize_key( $_REQUEST['action'] )
     91        : $action;
     92
     93    // Setup action key
     94    $key = "bbp_ajax_{$action}";
     95
     96    // Bail if no action is registered
     97    if ( empty( $action ) || ! has_action( $key ) ) {
     98        wp_die( '0', 400 );
     99    }
     100
    79101    // Everything is 200 OK.
    80102    bbp_set_200();
    81103
    82     // Perform custom bbPress ajax
    83     do_action( 'bbp_ajax_' . sanitize_key( $_REQUEST['action'] ) );
     104    // Execute custom bbPress AJAX action
     105    do_action( $key );
    84106
    85107    // All done
Note: See TracChangeset for help on using the changeset viewer.