|
|
|
|
|
|
by golden_apples
5161 days ago
|
|
|
Nonces, used properly, should be fairly decent protection against the kind of CSRF attack you're describing. They're not bulletproof, but, someone who
knows enough about the internals of your site to generate a valid nonce probably has several other possible attack vectors... I haven't looked at the actual theme in question, but I can imagine that a lot of Woo clientele want to be able to preview their posts with all the shortcodes intact, which is what this function does, and why it has to receive shortcode data through request parameter. |
|
|
There's surely a better way to do it without accepting code via the query string. Keep the code on the server and have that function only refer to an index or something perhaps?