From ca0aa3f19affc1450184149624b9c4a2851077bd Mon Sep 17 00:00:00 2001
From: Jeremy Felt <jeremyfelt@git.wordpress.org>
Date: Sun, 12 Jul 2015 02:35:11 +0000
Subject: [PATCH] Add better handling for actions and messaging in MS Sites
 List Table row actions

* Simplify URLs used for row actions to remove messaging and site domain/path.
* Use confirmation messaging from a managed list of actions when handling the request.
* Find the site address from the site ID rather than using information passed in the URL.

Fixes #32963.


git-svn-id: https://develop.svn.wordpress.org/trunk@33173 602fd350-edb4-49c9-b593-d223f7449a82
---
 .../includes/class-wp-ms-sites-list-table.php | 14 +++---
 src/wp-admin/network/sites.php                | 50 +++++++++++++++----
 2 files changed, 47 insertions(+), 17 deletions(-)

diff --git a/src/wp-admin/includes/class-wp-ms-sites-list-table.php b/src/wp-admin/includes/class-wp-ms-sites-list-table.php
index b6ed847713..3ba006b227 100644
--- a/src/wp-admin/includes/class-wp-ms-sites-list-table.php
+++ b/src/wp-admin/includes/class-wp-ms-sites-list-table.php
@@ -501,25 +501,25 @@ class WP_MS_Sites_List_Table extends WP_List_Table {
 			$actions['backend']	= "<span class='backend'><a href='" . esc_url( get_admin_url( $blog['blog_id'] ) ) . "' class='edit'>" . __( 'Dashboard' ) . '</a></span>';
 			if ( get_current_site()->blog_id != $blog['blog_id'] ) {
 				if ( $blog['deleted'] == '1' ) {
-					$actions['activate']   = '<span class="activate"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=activateblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to activate the site %s' ), $blogname ) ) ), 'confirm' ) ) . '">' . __( 'Activate' ) . '</a></span>';
+					$actions['activate']   = '<span class="activate"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=activateblog&amp;id=' . $blog['blog_id'] ), 'activateblog_' . $blog['blog_id'] ) ) . '">' . __( 'Activate' ) . '</a></span>';
 				} else {
-					$actions['deactivate'] = '<span class="activate"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=deactivateblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to deactivate the site %s' ), $blogname ) ) ), 'confirm' ) ) . '">' . __( 'Deactivate' ) . '</a></span>';
+					$actions['deactivate'] = '<span class="activate"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=deactivateblog&amp;id=' . $blog['blog_id'] ), 'deactivateblog_' . $blog['blog_id'] ) ) . '">' . __( 'Deactivate' ) . '</a></span>';
 				}
 
 				if ( $blog['archived'] == '1' ) {
-					$actions['unarchive'] = '<span class="archive"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=unarchiveblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to unarchive the site %s.' ), $blogname ) ) ), 'confirm' ) ) . '">' . __( 'Unarchive' ) . '</a></span>';
+					$actions['unarchive'] = '<span class="archive"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=unarchiveblog&amp;id=' . $blog['blog_id'] ), 'unarchiveblog_' . $blog['blog_id'] ) ) . '">' . __( 'Unarchive' ) . '</a></span>';
 				} else {
-					$actions['archive']   = '<span class="archive"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=archiveblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to archive the site %s.' ), $blogname ) ) ), 'confirm' ) ) . '">' . _x( 'Archive', 'verb; site' ) . '</a></span>';
+					$actions['archive']   = '<span class="archive"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=archiveblog&amp;id=' . $blog['blog_id'] ), 'archiveblog_' . $blog['blog_id'] ) ) . '">' . _x( 'Archive', 'verb; site' ) . '</a></span>';
 				}
 
 				if ( $blog['spam'] == '1' ) {
-					$actions['unspam'] = '<span class="spam"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=unspamblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to unspam the site %s.' ), $blogname ) ) ), 'confirm' ) ) . '">' . _x( 'Not Spam', 'site' ) . '</a></span>';
+					$actions['unspam'] = '<span class="spam"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=unspamblog&amp;id=' . $blog['blog_id'] ), 'unspamblog_' . $blog['blog_id'] ) ) . '">' . _x( 'Not Spam', 'site' ) . '</a></span>';
 				} else {
-					$actions['spam']   = '<span class="spam"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=spamblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to mark the site %s as spam.' ), $blogname ) ) ), 'confirm' ) ) . '">' . _x( 'Spam', 'site' ) . '</a></span>';
+					$actions['spam']   = '<span class="spam"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=spamblog&amp;id=' . $blog['blog_id'] ), 'spamblog_' . $blog['blog_id'] ) ) . '">' . _x( 'Spam', 'site' ) . '</a></span>';
 				}
 
 				if ( current_user_can( 'delete_site', $blog['blog_id'] ) ) {
-					$actions['delete'] = '<span class="delete"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=deleteblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to delete the site %s.' ), $blogname ) ) ), 'confirm' ) ) . '">' . __( 'Delete' ) . '</a></span>';
+					$actions['delete'] = '<span class="delete"><a href="' . esc_url( wp_nonce_url( network_admin_url( 'sites.php?action=confirm&amp;action2=deleteblog&amp;id=' . $blog['blog_id'] ), 'deleteblog_' . $blog['blog_id'] ) ) . '">' . __( 'Delete' ) . '</a></span>';
 				}
 			}
 
diff --git a/src/wp-admin/network/sites.php b/src/wp-admin/network/sites.php
index 4e057207b6..fcbc2615ed 100644
--- a/src/wp-admin/network/sites.php
+++ b/src/wp-admin/network/sites.php
@@ -52,8 +52,34 @@ if ( isset( $_GET['action'] ) ) {
 	/** This action is documented in wp-admin/network/edit.php */
 	do_action( 'wpmuadminedit' );
 
+	// A list of valid actions and their associated messaging for confirmation output.
+	$manage_actions = array(
+		'activateblog'   => __( 'You are about to activate the site %s' ),
+		'deactivateblog' => __( 'You are about to deactivate the site %s' ),
+		'unarchiveblog'  => __( 'You are about to unarchive the site %s.' ),
+		'archiveblog'    => __( 'You are about to archive the site %s.' ),
+		'unspamblog'     => __( 'You are about to unspam the site %s.' ),
+		'spamblog'       => __( 'You are about to mark the site %s as spam.' ),
+		'deleteblog'     => __( 'You are about to delete the site %s.' ),
+		'unmatureblog'   => __( 'You are about to mark the site %s as mature.' ),
+		'matureblog'     => __( 'You are about to mark the site %s as not mature.' ),
+		'allblogs'       => '',
+	);
+
 	if ( 'confirm' === $_GET['action'] ) {
-		check_admin_referer( 'confirm' );
+		// The action2 parameter contains the action being taken on the site.
+		$site_action = $_GET['action2'];
+
+		if ( ! array_key_exists( $site_action, $manage_actions ) ) {
+			wp_die( __( 'The requested action is not valid.' ) );
+		}
+
+		// The mature/unmature UI exists only as external code. Check the "confirm" nonce for backward compatibility.
+		if ( 'matureblog' === $site_action || 'unmatureblog' === $site_action ) {
+			check_admin_referer( 'confirm' );
+		} else {
+			check_admin_referer( $site_action . '_' . $id );
+		}
 
 		if ( ! headers_sent() ) {
 			nocache_headers();
@@ -64,16 +90,19 @@ if ( isset( $_GET['action'] ) ) {
 			wp_die( __( 'You are not allowed to change the current site.' ) );
 		}
 
+		$site_details = get_blog_details( $id );
+		$site_address = untrailingslashit( $site_details->domain . $site_details->path );
+
 		require_once( ABSPATH . 'wp-admin/admin-header.php' );
 		?>
 			<div class="wrap">
 				<h1><?php _e( 'Confirm your action' ); ?></h1>
-				<form action="sites.php?action=<?php echo esc_attr( $_GET['action2'] ) ?>" method="post">
-					<input type="hidden" name="action" value="<?php echo esc_attr( $_GET['action2'] ) ?>" />
+				<form action="sites.php?action=<?php echo esc_attr( $site_action ); ?>" method="post">
+					<input type="hidden" name="action" value="<?php echo esc_attr( $site_action ); ?>" />
 					<input type="hidden" name="id" value="<?php echo esc_attr( $id ); ?>" />
 					<input type="hidden" name="_wp_http_referer" value="<?php echo esc_attr( wp_get_referer() ); ?>" />
-					<?php wp_nonce_field( $_GET['action2'], '_wpnonce', false ); ?>
-					<p><?php echo esc_html( wp_unslash( $_GET['msg'] ) ); ?></p>
+					<?php wp_nonce_field( $site_action . '_' . $id, '_wpnonce', false ); ?>
+					<p><?php echo sprintf( $manage_actions[ $site_action ], $site_address ); ?></p>
 					<?php submit_button( __( 'Confirm' ), 'button' ); ?>
 				</form>
 			</div>
@@ -84,13 +113,13 @@ if ( isset( $_GET['action'] ) ) {
 
 	$updated_action = '';
 
-	$manage_actions = array( 'deleteblog', 'allblogs', 'archiveblog', 'unarchiveblog', 'activateblog', 'deactivateblog', 'unspamblog', 'spamblog', 'unmatureblog', 'matureblog' );
-	if ( in_array( $_GET['action'], $manage_actions ) ) {
+	if ( array_key_exists( $_GET['action'], $manage_actions ) ) {
 		$action = $_GET['action'];
-		if ( 'allblogs' === $action )
+		if ( 'allblogs' === $action ) {
 			$action = 'bulk-sites';
+		}
 
-		check_admin_referer( $action );
+		check_admin_referer( $action . '_' . $id );
 	}
 
 	switch ( $_GET['action'] ) {
@@ -178,8 +207,9 @@ if ( isset( $_GET['action'] ) ) {
 		break;
 	}
 
-	if ( empty( $updated_action ) && in_array( $_GET['action'], $manage_actions ) )
+	if ( empty( $updated_action ) && array_key_exists( $_GET['action'], $manage_actions ) ) {
 		$updated_action = $_GET['action'];
+	}
 
 	if ( ! empty( $updated_action ) ) {
 		wp_safe_redirect( add_query_arg( array( 'updated' => $updated_action ), wp_get_referer() ) );