Add nonce verification to connection form page

omnisend · Aug 28, 2024 · ed75471 · ed75471
1 parent 85b19ab
commit ed75471
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/omnisend/includes/Internal/class-connection.php b/omnisend/includes/Internal/class-connection.php
@@ -82,16 +82,17 @@ private static function get_account_data( $api_key ): array {
 		return is_array( $arr ) ? $arr : array();
 	}
 
-
 	public static function show_connected_store_view(): bool {
 		return Options::is_store_connected();
 	}
 
 	public static function show_connection_view(): bool {
 		$connected = Options::is_store_connected();
 
-		// phpcs:disable WordPress.Security.NonceVerification
 		if ( ! $connected && ! empty( $_GET['action'] ) && 'show_connection_form' == $_GET['action'] ) {
+			if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ?? '' ) ), 'show_connection_form' ) ) {
+				die( 'nonce verification failed: ' . __FILE__ . ':' . __LINE__ );
+			}
 			return true;
 		}
 

diff --git a/omnisend/view/landing-page.html b/omnisend/view/landing-page.html
@@ -1,4 +1,7 @@
-<?php use Omnisend\Internal\Connection; ?>
+<?php
+    use Omnisend\Internal\Connection;
+    $nonce = wp_create_nonce( 'show_connection_form' );
+?>
 
 <div class="omnisend-landing-page-header">
     <div class="omnisend-landing-header-container">
@@ -17,9 +20,9 @@
                 <a class="omnisend-button-primary" href="<?php echo Omnisend\Internal\Connection::$landing_page_url;?>" target="_blank">
                     Explore Omnisend
                 </a>
-                <a class="omnisend-button" href="admin.php?page=omnisend&action=show_connection_form"> Connect Omnisend </a>
+                <a class="omnisend-button" href="admin.php?page=omnisend&action=show_connection_form&_wpnonce=<?php echo $nonce; ?>"> Connect Omnisend </a>
                 <?php else: ?>
-                <a class="omnisend-button-primary" href="admin.php?page=omnisend&action=show_connection_form"> Connect Omnisend </a>
+                <a class="omnisend-button-primary" href="admin.php?page=omnisend&action=show_connection_form&_wpnonce=<?php echo $nonce; ?>"> Connect Omnisend </a>
                 <?php endif; ?>
             </div>
         </div>
@@ -97,7 +100,7 @@
                     <a class="omnisend-button-green" href="<?php echo Omnisend\Internal\Connection::$landing_page_url;?>" target="_blank">
                         Explore Omnisend
                     </a>
-                    <a class="omnisend-button-white" href="admin.php?page=omnisend&action=show_connection_form"> Connect Omnisend </a>
+                    <a class="omnisend-button-white" href="admin.php?page=omnisend&action=show_connection_form&_wpnonce=<?php echo $nonce; ?>"> Connect Omnisend </a>
                 </div>
             </div>
         </div>