<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[21135] trunk: Refresh nonces in the customizer.</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg > ul, #logmsg > ol { margin-left: 0; margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://core.trac.wordpress.org/changeset/21135">21135</a></dd>
<dt>Author</dt> <dd>nacin</dd>
<dt>Date</dt> <dd>2012-06-26 18:48:18 +0000 (Tue, 26 Jun 2012)</dd>
</dl>

<h3>Log Message</h3>
<pre>Refresh nonces in the customizer. props koopersmith. see <a href="http://core.trac.wordpress.org/ticket/20876">#20876</a>.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkwpadmincustomizephp">trunk/wp-admin/customize.php</a></li>
<li><a href="#trunkwpadminjscustomizecontrolsdevjs">trunk/wp-admin/js/customize-controls.dev.js</a></li>
<li><a href="#trunkwpincludesclasswpcustomizemanagerphp">trunk/wp-includes/class-wp-customize-manager.php</a></li>
<li><a href="#trunkwpincludesjscustomizepreviewdevjs">trunk/wp-includes/js/customize-preview.dev.js</a></li>
<li><a href="#trunkwploginphp">trunk/wp-login.php</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkwpadmincustomizephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/customize.php (21134 => 21135)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/customize.php        2012-06-26 06:28:59 UTC (rev 21134)
+++ trunk/wp-admin/customize.php        2012-06-26 18:48:18 UTC (rev 21135)
</span><span class="lines">@@ -7,6 +7,8 @@
</span><span class="cx">  * @since 3.4.0
</span><span class="cx">  */
</span><span class="cx"> 
</span><ins>+define( 'IFRAME_REQUEST', true );
+
</ins><span class="cx"> require_once( './admin.php' );
</span><span class="cx"> if ( ! current_user_can( 'edit_theme_options' ) )
</span><span class="cx">         wp_die( __( 'Cheatin&amp;#8217; uh?' ) );
</span><span class="lines">@@ -65,7 +67,6 @@
</span><span class="cx"> &lt;body class=&quot;&lt;?php echo esc_attr( $body_class ); ?&gt;&quot;&gt;
</span><span class="cx"> &lt;div class=&quot;wp-full-overlay expanded&quot;&gt;
</span><span class="cx">         &lt;form id=&quot;customize-controls&quot; class=&quot;wrap wp-full-overlay-sidebar&quot;&gt;
</span><del>-                &lt;?php wp_nonce_field( 'customize_controls-' . $wp_customize-&gt;get_stylesheet() ); ?&gt;
</del><span class="cx">                 &lt;div id=&quot;customize-header-actions&quot; class=&quot;wp-full-overlay-header&quot;&gt;
</span><span class="cx">                         &lt;?php
</span><span class="cx">                                 $save_text = $wp_customize-&gt;is_theme_active() ? __( 'Save &amp;amp; Publish' ) : __( 'Save &amp;amp; Activate' );
</span><span class="lines">@@ -175,6 +176,10 @@
</span><span class="cx">                 ),
</span><span class="cx">                 'settings' =&gt; array(),
</span><span class="cx">                 'controls' =&gt; array(),
</span><ins>+                'nonce'    =&gt; array(
+                         'save'    =&gt; wp_create_nonce( 'save-customize_' . $wp_customize-&gt;get_stylesheet() ),
+                         'preview' =&gt; wp_create_nonce( 'preview-customize_' . $wp_customize-&gt;get_stylesheet() )
+                 ),
</ins><span class="cx">         );
</span><span class="cx"> 
</span><span class="cx">         foreach ( $wp_customize-&gt;settings() as $id =&gt; $setting ) {
</span></span></pre></div>
<a id="trunkwpadminjscustomizecontrolsdevjs"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/js/customize-controls.dev.js (21134 => 21135)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/js/customize-controls.dev.js        2012-06-26 06:28:59 UTC (rev 21134)
+++ trunk/wp-admin/js/customize-controls.dev.js        2012-06-26 18:48:18 UTC (rev 21135)
</span><span class="lines">@@ -294,7 +294,8 @@
</span><span class="cx">                         // This is the promise object.
</span><span class="cx">                         deferred.promise( this );
</span><span class="cx"> 
</span><del>-                        this.previewer = params.previewer;
</del><ins>+                        this.container = params.container;
+                        this.signature = params.signature;
</ins><span class="cx"> 
</span><span class="cx">                         $.extend( params, { channel: api.PreviewFrame.uuid() });
</span><span class="cx"> 
</span><span class="lines">@@ -338,7 +339,7 @@
</span><span class="cx"> 
</span><span class="cx">                         this.request.done( function( response ) {
</span><span class="cx">                                 var location = self.request.getResponseHeader('Location'),
</span><del>-                                        signature = 'WP_CUSTOMIZER_SIGNATURE',
</del><ins>+                                        signature = self.signature,
</ins><span class="cx">                                         index;
</span><span class="cx"> 
</span><span class="cx">                                 // Check if the location response header differs from the current URL.
</span><span class="lines">@@ -371,7 +372,7 @@
</span><span class="cx">                                 response = response.slice( 0, index ) + response.slice( index + signature.length );
</span><span class="cx"> 
</span><span class="cx">                                 // Create the iframe and inject the html content.
</span><del>-                                self.iframe = $('&lt;iframe /&gt;').appendTo( self.previewer.container );
</del><ins>+                                self.iframe = $('&lt;iframe /&gt;').appendTo( self.container );
</ins><span class="cx"> 
</span><span class="cx">                                 // Bind load event after the iframe has been added to the page;
</span><span class="cx">                                 // otherwise it will fire when injected into the DOM.
</span><span class="lines">@@ -416,7 +417,7 @@
</span><span class="cx">                                         reject();
</span><span class="cx"> 
</span><span class="cx">                                 iframe = $('&lt;iframe src=&quot;' + self.previewUrl() + '&quot; /&gt;').hide();
</span><del>-                                iframe.appendTo( self.previewer.container );
</del><ins>+                                iframe.appendTo( self.container );
</ins><span class="cx">                                 iframe.load( function() {
</span><span class="cx">                                         self.triedLogin = true;
</span><span class="cx"> 
</span><span class="lines">@@ -497,6 +498,7 @@
</span><span class="cx"> 
</span><span class="cx">                         this.container   = api.ensure( params.container );
</span><span class="cx">                         this.allowedUrls = params.allowedUrls;
</span><ins>+                        this.signature   = params.signature;
</ins><span class="cx"> 
</span><span class="cx">                         params.url = window.location.href;
</span><span class="cx"> 
</span><span class="lines">@@ -570,7 +572,8 @@
</span><span class="cx">                                 url:        this.url(),
</span><span class="cx">                                 previewUrl: this.previewUrl(),
</span><span class="cx">                                 query:      this.query() || {},
</span><del>-                                previewer:  this
</del><ins>+                                container:  this.container,
+                                signature:  this.signature
</ins><span class="cx">                         });
</span><span class="cx"> 
</span><span class="cx">                         this.loading.done( function() {
</span><span class="lines">@@ -583,6 +586,8 @@
</span><span class="cx"> 
</span><span class="cx">                                         self.targetWindow( this.targetWindow() );
</span><span class="cx">                                         self.channel( this.channel() );
</span><ins>+
+                                        self.send( 'active' );
</ins><span class="cx">                                 });
</span><span class="cx"> 
</span><span class="cx">                                 this.send( 'sync', {
</span><span class="lines">@@ -683,23 +688,26 @@
</span><span class="cx">                         container:   '#customize-preview',
</span><span class="cx">                         form:        '#customize-controls',
</span><span class="cx">                         previewUrl:  api.settings.url.preview,
</span><del>-                        allowedUrls: api.settings.url.allowed
</del><ins>+                        allowedUrls: api.settings.url.allowed,
+                        signature:   'WP_CUSTOMIZER_SIGNATURE'
</ins><span class="cx">                 }, {
</span><ins>+
+                        nonce: api.settings.nonce,
+
</ins><span class="cx">                         query: function() {
</span><span class="cx">                                 return {
</span><span class="cx">                                         wp_customize: 'on',
</span><span class="cx">                                         theme:        api.settings.theme.stylesheet,
</span><del>-                                        customized:   JSON.stringify( api.get() )
</del><ins>+                                        customized:   JSON.stringify( api.get() ),
+                                        nonce:        this.nonce.preview
</ins><span class="cx">                                 };
</span><span class="cx">                         },
</span><span class="cx"> 
</span><del>-                        nonce: $('#_wpnonce').val(),
-
</del><span class="cx">                         save: function() {
</span><span class="cx">                                 var self  = this,
</span><span class="cx">                                         query = $.extend( this.query(), {
</span><span class="cx">                                                 action: 'customize_save',
</span><del>-                                                nonce:  this.nonce
</del><ins>+                                                nonce:  this.nonce.save
</ins><span class="cx">                                         }),
</span><span class="cx">                                         request = $.post( api.settings.url.ajax, query );
</span><span class="cx"> 
</span><span class="lines">@@ -733,6 +741,11 @@
</span><span class="cx">                         }
</span><span class="cx">                 });
</span><span class="cx"> 
</span><ins>+                // Refresh the nonces if the preview sends updated nonces over.
+                 previewer.bind( 'nonce', function( nonce ) {
+                         $.extend( this.nonce, nonce );
+                 });
+
</ins><span class="cx">                 $.each( api.settings.settings, function( id, data ) {
</span><span class="cx">                         api.create( id, id, data.value, {
</span><span class="cx">                                 transport: data.transport,
</span></span></pre></div>
<a id="trunkwpincludesclasswpcustomizemanagerphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/class-wp-customize-manager.php (21134 => 21135)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/class-wp-customize-manager.php        2012-06-26 06:28:59 UTC (rev 21134)
+++ trunk/wp-includes/class-wp-customize-manager.php        2012-06-26 18:48:18 UTC (rev 21135)
</span><span class="lines">@@ -17,6 +17,8 @@
</span><span class="cx">         protected $sections = array();
</span><span class="cx">         protected $controls = array();
</span><span class="cx"> 
</span><ins>+        protected $nonce_tick;
+
</ins><span class="cx">         protected $customized;
</span><span class="cx"> 
</span><span class="cx">         private $_post_values;
</span><span class="lines">@@ -308,6 +310,8 @@
</span><span class="cx">          * @since 3.4.0
</span><span class="cx">          */
</span><span class="cx">         public function customize_preview_init() {
</span><ins>+                $this-&gt;nonce_tick = check_ajax_referer( 'preview-customize_' . $this-&gt;get_stylesheet(), 'nonce' );
+
</ins><span class="cx">                 $this-&gt;prepare_controls();
</span><span class="cx"> 
</span><span class="cx">                 wp_enqueue_script( 'customize-preview' );
</span><span class="lines">@@ -362,6 +366,13 @@
</span><span class="cx">                         'channel' =&gt; esc_js( $_POST['customize_messenger_channel'] ),
</span><span class="cx">                 );
</span><span class="cx"> 
</span><ins>+                if ( 2 == $this-&gt;nonce_tick ) {
+                         $settings['nonce'] = array(
+                                 'save' =&gt; wp_create_nonce( 'save-customize_' . $this-&gt;get_stylesheet() ),
+                                 'preview' =&gt; wp_create_nonce( 'preview-customize_' . $this-&gt;get_stylesheet() )
+                         );
+                 }
+
</ins><span class="cx">                 foreach ( $this-&gt;settings as $id =&gt; $setting ) {
</span><span class="cx">                         $settings['values'][ $id ] = $setting-&gt;js_value();
</span><span class="cx">                 }
</span><span class="lines">@@ -468,7 +479,7 @@
</span><span class="cx">                 if ( ! $this-&gt;is_preview() )
</span><span class="cx">                         die;
</span><span class="cx"> 
</span><del>-                check_ajax_referer( 'customize_controls-' . $this-&gt;get_stylesheet(), 'nonce' );
</del><ins>+                check_ajax_referer( 'save-customize_' . $this-&gt;get_stylesheet(), 'nonce' );
</ins><span class="cx"> 
</span><span class="cx">                 // Do we have to switch themes?
</span><span class="cx">                 if ( ! $this-&gt;is_theme_active() ) {
</span></span></pre></div>
<a id="trunkwpincludesjscustomizepreviewdevjs"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/js/customize-preview.dev.js (21134 => 21135)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/js/customize-preview.dev.js        2012-06-26 06:28:59 UTC (rev 21134)
+++ trunk/wp-includes/js/customize-preview.dev.js        2012-06-26 18:48:18 UTC (rev 21135)
</span><span class="lines">@@ -88,8 +88,13 @@
</span><span class="cx">                                 preview.trigger( event, args );
</span><span class="cx">                         });
</span><span class="cx">                         preview.send( 'synced' );
</span><del>-                })
</del><ins>+                });
</ins><span class="cx"> 
</span><ins>+                 preview.bind( 'active', function() {
+                         if ( api.settings.nonce )
+                                 preview.send( 'nonce', api.settings.nonce );
+                 });
+
</ins><span class="cx">                 preview.send( 'ready' );
</span><span class="cx"> 
</span><span class="cx">                 /* Custom Backgrounds */
</span></span></pre></div>
<a id="trunkwploginphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-login.php (21134 => 21135)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-login.php        2012-06-26 06:28:59 UTC (rev 21134)
+++ trunk/wp-login.php        2012-06-26 18:48:18 UTC (rev 21135)
</span><span class="lines">@@ -39,7 +39,7 @@
</span><span class="cx">  * @param WP_Error $wp_error Optional. WordPress Error Object
</span><span class="cx">  */
</span><span class="cx"> function login_header($title = 'Log In', $message = '', $wp_error = '') {
</span><del>-        global $error, $interim_login, $current_site, $customize_login;
</del><ins>+        global $error, $interim_login, $current_site;
</ins><span class="cx"> 
</span><span class="cx">         // Don't index any of these forms
</span><span class="cx">         add_action( 'login_head', 'wp_no_robots' );
</span><span class="lines">@@ -68,9 +68,6 @@
</span><span class="cx">                 &lt;meta name=&quot;viewport&quot; content=&quot;width=320; initial-scale=0.9; maximum-scale=1.0; user-scalable=0;&quot; /&gt;&lt;?php
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        if ( $customize_login )
-                wp_enqueue_script( 'customize-base' );
-
</del><span class="cx">         do_action( 'login_enqueue_scripts' );
</span><span class="cx">         do_action( 'login_head' );
</span><span class="cx"> 
</span><span class="lines">@@ -568,6 +565,8 @@
</span><span class="cx">         $secure_cookie = '';
</span><span class="cx">         $interim_login = isset($_REQUEST['interim-login']);
</span><span class="cx">         $customize_login = isset( $_REQUEST['customize-login'] );
</span><ins>+        if ( $customize_login )
+                wp_enqueue_script( 'customize-base' );
</ins><span class="cx"> 
</span><span class="cx">         // If the user wants ssl but the session is not ssl, force a secure cookie.
</span><span class="cx">         if ( !empty($_POST['log']) &amp;&amp; !force_ssl_admin() ) {
</span><span class="lines">@@ -604,21 +603,18 @@
</span><span class="cx">         if ( !is_wp_error($user) &amp;&amp; !$reauth ) {
</span><span class="cx">                 if ( $interim_login ) {
</span><span class="cx">                         $message = '&lt;p class=&quot;message&quot;&gt;' . __('You have logged in successfully.') . '&lt;/p&gt;';
</span><del>-                        login_header( '', $message );
</del><ins>+                        login_header( '', $message ); ?&gt;
</ins><span class="cx"> 
</span><del>-                        if ( ! $customize_login ) : ?&gt;
-                                &lt;script type=&quot;text/javascript&quot;&gt;setTimeout( function(){window.close()}, 8000);&lt;/script&gt;
-                                &lt;p class=&quot;alignright&quot;&gt;
-                                &lt;input type=&quot;button&quot; class=&quot;button-primary&quot; value=&quot;&lt;?php esc_attr_e('Close'); ?&gt;&quot; onclick=&quot;window.close()&quot; /&gt;&lt;/p&gt;
-&lt;?php                endif;
-
-                        ?&gt;&lt;/div&gt;&lt;?php
-
-                        do_action('login_footer');
-
-                        if ( $customize_login ) : ?&gt;
</del><ins>+                        &lt;?php if ( ! $customize_login ) : ?&gt;
+                        &lt;script type=&quot;text/javascript&quot;&gt;setTimeout( function(){window.close()}, 8000);&lt;/script&gt;
+                        &lt;p class=&quot;alignright&quot;&gt;
+                        &lt;input type=&quot;button&quot; class=&quot;button-primary&quot; value=&quot;&lt;?php esc_attr_e('Close'); ?&gt;&quot; onclick=&quot;window.close()&quot; /&gt;&lt;/p&gt;
+                        &lt;?php endif; ?&gt;
+                        &lt;/div&gt;
+                        &lt;?php do_action( 'login_footer' ); ?&gt;
+                        &lt;?php if ( $customize_login ) : ?&gt;
</ins><span class="cx">                                 &lt;script type=&quot;text/javascript&quot;&gt;setTimeout( function(){ new wp.customize.Messenger({ url: '&lt;?php echo wp_customize_url(); ?&gt;', channel: 'login' }).send('login') }, 1000 );&lt;/script&gt;
</span><del>-&lt;?php                endif; ?&gt;
</del><ins>+                        &lt;?php endif; ?&gt;
</ins><span class="cx">                         &lt;/body&gt;&lt;/html&gt;
</span><span class="cx"> &lt;?php                exit;
</span><span class="cx">                 }
</span></span></pre>
</div>
</div>

</body>
</html>