Add additional check for bulk edit nonce.

hofmannsven · hofmannsven · commit 8efdef66e5ac · 2025-02-12T22:44:02.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,12 +2,16 @@
 
 Notable changes and release notes of the Mark Posts WordPress plugin.
 
+## 2.2.6
+* Fixes a bug where the bulk edit nonce is not set
+  Thanks to René Eger for finding and reporting the issue
+
 ## 2.2.5
 * Adds additional user capability checks (quick edit and bulk edit)
 * Adds Laravel Pint code style fixer as a developer dependency
 
 ## 2.2.4
-* Adds support for the [WordPress playground](https://playground.wordpress.net/?plugin=mark-posts)
+* Adds support for the [WordPress playground](https://playground.wordpress.net/?blueprint-url=https://raw.githubusercontent.com/hofmannsven/mark-posts/master/.wordpress-org/blueprint.json)
 * Hides new internal post types by default
 * Fixes broken access control vulnerability
   Thanks @truonghuuphuc for discovering and responsibly disclosing this vulnerability
diff --git a/README.md b/README.md
@@ -17,6 +17,10 @@ Mark Posts plugin provides an easy way to mark and highlight posts, pages and po
 * Dashboard widget with marker status count
 * Optional custom setup via filters (check our [wiki](https://github.com/hofmannsven/mark-posts/wiki) for instructions)
 
+## Live Demo
+
+Try out the features of Mark Posts on the [WordPress playground](https://playground.wordpress.net/?blueprint-url=https://raw.githubusercontent.com/hofmannsven/mark-posts/master/.wordpress-org/blueprint.json).
+
 ## Looking ahead
 
 Check our [roadmap](https://github.com/hofmannsven/mark-posts/projects/1) for planned tasks and active issues regarding the further development of the plugin.
@@ -63,9 +67,13 @@ Please read the [changelog](CHANGELOG.md) for more information about what has ch
 
 Please read the [contribution guidelines](CONTRIBUTING.md) for details.
 
+## Translation
+
+If you'd like to help translate this plugin, you can do so on [WordPress Translate](https://translate.wordpress.org/projects/wp-plugins/mark-posts/).
+
 ## Support
 
-Always feel free to [raise an issue](https://github.com/hofmannsven/mark-posts/issues) on GitHub.
+Active development of this plugin is handled on GitHub. Always feel free to [raise an issue](https://github.com/hofmannsven/mark-posts/issues).
 
 ## Security
 
diff --git a/README.txt b/README.txt
@@ -1,10 +1,10 @@
 === Mark Posts ===
-Contributors: hofmannsven, flymke
+Contributors: hofmannsven
 Tags: highlight, color, status, tag, featured
 Requires at least: 4.1
 Tested up to: 6.7
 Requires PHP: 7.0
-Stable tag: 2.2.5
+Stable tag: 2.2.6
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.txt
 
@@ -23,6 +23,10 @@ Mark Posts plugin provides an easy way to mark and highlight posts, pages and po
 * Dashboard widget with marker status count
 * Optional custom setup via filters (check our [wiki](https://github.com/hofmannsven/mark-posts/wiki) for instructions)
 
+= Live Demo =
+
+Try out the features of Mark Posts on the [WordPress playground](https://playground.wordpress.net/?blueprint-url=https://raw.githubusercontent.com/hofmannsven/mark-posts/master/.wordpress-org/blueprint.json).
+
 == Installation ==
 
 = Requirements =
@@ -51,7 +55,7 @@ Using the latest version of WordPress and PHP is highly recommended.
 
 == Support ==
 
-Always feel free to [raise an issue](https://github.com/hofmannsven/mark-posts/issues) on GitHub.
+Active development of this plugin is handled on GitHub. Always feel free to [raise an issue](https://github.com/hofmannsven/mark-posts/issues).
 
 == Frequently Asked Questions ==
 
@@ -81,7 +85,7 @@ Always feel free to [raise an issue](https://github.com/hofmannsven/mark-posts/i
 
 = Where can I get more information and support for this plugin? =
 
-Visit [Mark Posts on Github](https://github.com/hofmannsven/mark-posts).
+Visit [Mark Posts on GitHub](https://github.com/hofmannsven/mark-posts).
 
 == Screenshots ==
 
@@ -93,12 +97,16 @@ Visit [Mark Posts on Github](https://github.com/hofmannsven/mark-posts).
 
 == Changelog ==
 
+= 2.2.6 =
+* Fixes a bug where the bulk edit nonce is not set
+  Thanks to René Eger for finding and reporting the issue
+
 = 2.2.5 =
 * Adds additional user capability checks (quick edit and bulk edit)
 * Adds Laravel Pint code style fixer as a developer dependency
 
 = 2.2.4 =
-* Adds support for the [WordPress playground](https://playground.wordpress.net/?plugin=mark-posts)
+* Adds support for the [WordPress playground](https://playground.wordpress.net/?blueprint-url=https://raw.githubusercontent.com/hofmannsven/mark-posts/master/.wordpress-org/blueprint.json)
 * Hides new internal post types by default
 * Fixes broken access control vulnerability
   Thanks @truonghuuphuc for discovering and responsibly disclosing this vulnerability
@@ -131,21 +139,5 @@ Visit [Mark Posts on Github](https://github.com/hofmannsven/mark-posts).
 * Breaking change: Markers are no longer public by default
 * Adds [`mark_posts_taxonomy_args`](https://github.com/hofmannsven/mark-posts/wiki/Custom-Marker-Taxonomy-Arguments) filter
 
-= 1.2.4 =
-* Fixes a bug with WordPress 5.5.1
-
-= 1.2.3 =
-* Excludes specific internal plugin post types per default
-
-= 1.2.2 =
-* Sets the minimum required PHP version to PHP 7.0
-
-= 1.2.1 =
-* Excludes internal post types per default
-* Adds [`mark_posts_excluded_post_types`](https://github.com/hofmannsven/mark-posts/wiki/Reset-Custom-Post-Types) filter
-
-= 1.2.0 =
-* Migrates GitHub repository to [hofmannsven/mark-posts](https://github.com/hofmannsven/mark-posts)
-* Adds Composer support
-
-Check our [changelog](https://github.com/hofmannsven/mark-posts/blob/master/CHANGELOG.md) for previous releases.
+= Earlier versions =
+Check out our [full changelog](https://github.com/hofmannsven/mark-posts/blob/master/CHANGELOG.md) for previous releases
diff --git a/admin/class-mark-posts-admin.php b/admin/class-mark-posts-admin.php
@@ -418,12 +418,11 @@ public function mark_posts_display_quickedit_box(string $column_name)
      * Save quick edit.
      *
      * @param  int  $post_id  ID of the post e.g. '1'
-     * @param  WP_Post  $post  Information about the post e.g. 'post_type'
      * @return void
      *
      * @since 1.0.0
      */
-    public function mark_posts_save_quick_edit(int $post_id, WP_Post $post)
+    public function mark_posts_save_quick_edit(int $post_id)
     {
         // Pointless if $_POST is empty (this happens on bulk edit).
         if (empty($_POST)) {
@@ -440,13 +439,13 @@ public function mark_posts_save_quick_edit(int $post_id, WP_Post $post)
             return;
         }
 
-        // Don't mark_posts_save for autosave.
+        // Skip autosave.
         if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) {
             return;
         }
 
-        // Don't mark_posts_save for revisions.
-        if (isset($post->post_type) && $post->post_type === 'revision') {
+        // Skip revisions.
+        if (wp_is_post_revision($post_id)) {
             return;
         }
 
@@ -480,7 +479,7 @@ public function mark_posts_save_quick_edit(int $post_id, WP_Post $post)
     public function mark_posts_save_bulk_edit(int $post_id)
     {
         // Verify bulk edit nonce.
-        if (! wp_verify_nonce($_REQUEST['_wpnonce'], 'bulk-posts')) {
+        if (! isset($_REQUEST['_wpnonce']) || ! wp_verify_nonce($_REQUEST['_wpnonce'], 'bulk-posts')) {
             return;
         }
 
@@ -489,6 +488,16 @@ public function mark_posts_save_bulk_edit(int $post_id)
             return;
         }
 
+        // Skip autosave.
+        if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) {
+            return;
+        }
+
+        // Skip revisions.
+        if (wp_is_post_revision($post_id)) {
+            return;
+        }
+
         // Get selected marker ID.
         $marker_id = (int) ! empty($_REQUEST['mark_posts_term_id']) ? $_REQUEST['mark_posts_term_id'] : 0;
 
diff --git a/admin/views/admin.php b/admin/views/admin.php
@@ -373,8 +373,8 @@ function mark_posts_show_settings()
     <div class="mark-posts-copy">
         <hr/>
         Mark Posts | Version: <?php echo WP_MARK_POSTS_VERSION; ?> | &copy; <?php echo date('Y'); ?>
-        <a href="http://www.aliquit.de" target="_blank">Michael Schoenrock</a>,
-        <a href="https://hofmannsven.com" target="_blank">Sven Hofmann</a>
+        <a href="http://www.aliquit.de" target="_blank" rel="noopener">Michael Schoenrock</a>,
+        <a href="https://hofmannsven.com" target="_blank" rel="noopener">Sven Hofmann</a>
     </div>
 
 </div>
diff --git a/mark-posts.php b/mark-posts.php
@@ -4,15 +4,14 @@
  * Plugin Name:     Mark Posts
  * Description:     Mark and highlight posts, pages and posts of custom post types within the posts overview.
  * Plugin URI:      https://wordpress.org/plugins/mark-posts
- * Version:         2.2.5
+ * Version:         2.2.6
  * Author:          Sven Hofmann & Michael Schoenrock
  * Author URI:      https://hofmannsven.com
  * Contributor:     Michael Schoenrock
  * Contributor URI: https://www.halloecho.de
  * License:         GPL-2.0+
  * License URI:     https://www.gnu.org/licenses/gpl-2.0.txt
  * Text Domain:     mark-posts
- * GitHub URI:      https://github.com/hofmannsven/mark-posts
  */
 
 // If this file is called directly, abort.
@@ -29,7 +28,7 @@
  *
  */
 if (! defined('WP_MARK_POSTS_VERSION')) {
-    define('WP_MARK_POSTS_VERSION', '2.2.5');
+    define('WP_MARK_POSTS_VERSION', '2.2.6');
 }
 
 /*

Original file line number	Diff line number	Diff line change
`@@ -418,12 +418,11 @@ public function mark_posts_display_quickedit_box(string $column_name)`
`418`	`418`	`* Save quick edit.`
`419`	`419`	`*`
`420`	`420`	`* @param int $post_id ID of the post e.g. '1'`
`421`		`- * @param WP_Post $post Information about the post e.g. 'post_type'`
`422`	`421`	`* @return void`
`423`	`422`	`*`
`424`	`423`	`* @since 1.0.0`
`425`	`424`	`*/`
`426`		`- public function mark_posts_save_quick_edit(int $post_id, WP_Post $post)`
	`425`	`+ public function mark_posts_save_quick_edit(int $post_id)`
`427`	`426`	`{`
`428`	`427`	`// Pointless if $_POST is empty (this happens on bulk edit).`
`429`	`428`	`if (empty($_POST)) {`
`@@ -440,13 +439,13 @@ public function mark_posts_save_quick_edit(int $post_id, WP_Post $post)`
`440`	`439`	`return;`
`441`	`440`	`}`
`442`	`441`
`443`		`- // Don't mark_posts_save for autosave.`
	`442`	`+ // Skip autosave.`
`444`	`443`	`if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) {`
`445`	`444`	`return;`
`446`	`445`	`}`
`447`	`446`
`448`		`- // Don't mark_posts_save for revisions.`
`449`		`- if (isset($post->post_type) && $post->post_type === 'revision') {`
	`447`	`+ // Skip revisions.`
	`448`	`+ if (wp_is_post_revision($post_id)) {`
`450`	`449`	`return;`
`451`	`450`	`}`
`452`	`451`
`@@ -480,7 +479,7 @@ public function mark_posts_save_quick_edit(int $post_id, WP_Post $post)`
`480`	`479`	`public function mark_posts_save_bulk_edit(int $post_id)`
`481`	`480`	`{`
`482`	`481`	`// Verify bulk edit nonce.`
`483`		`- if (! wp_verify_nonce($_REQUEST['_wpnonce'], 'bulk-posts')) {`
	`482`	`+ if (! isset($_REQUEST['_wpnonce']) \|\| ! wp_verify_nonce($_REQUEST['_wpnonce'], 'bulk-posts')) {`
`484`	`483`	`return;`
`485`	`484`	`}`
`486`	`485`
`@@ -489,6 +488,16 @@ public function mark_posts_save_bulk_edit(int $post_id)`
`489`	`488`	`return;`
`490`	`489`	`}`
`491`	`490`
	`491`	`+ // Skip autosave.`
	`492`	`+ if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) {`
	`493`	`+ return;`
	`494`	`+ }`
	`495`	`+`
	`496`	`+ // Skip revisions.`
	`497`	`+ if (wp_is_post_revision($post_id)) {`
	`498`	`+ return;`
	`499`	`+ }`
	`500`	`+`
`492`	`501`	`// Get selected marker ID.`
`493`	`502`	`$marker_id = (int) ! empty($_REQUEST['mark_posts_term_id']) ? $_REQUEST['mark_posts_term_id'] : 0;`
`494`	`503`