Merge pull request #1162 from Codeinwp/bugfix/pro/939

refactor: generate nonce based on feed url

Author: vytisbulkevicius

includes/abstract/feedzy-rss-feeds-admin-abstract.php

@@ -454,6 +454,10 @@ public function feedzy_rss( $atts, $content = '' ) {
 			} else {
 				$attributes .= 'data-has_valid_cache="true"';
 			}
+
+			// Add nonce based on feed url.
+			$attributes .= 'data-nonce="' . esc_attr( wp_create_nonce( $feed_url ) ) . '"';
+
 			$class = array_filter( apply_filters( 'feedzy_add_classes_block', array( $sc['classname'], 'feedzy-' . md5( is_array( $feed_url ) ? implode( ',', $feed_url ) : $feed_url ) ), $sc, null, $feed_url ) );
 			$html  = "<div class='feedzy-lazy' $attributes>";
 			$html .= "$content</div>";
@@ -552,6 +556,11 @@ public function feedzy_lazy_load( $data ) {
 		$atts     = $data['args'];
 		$sc       = $this->get_short_code_attributes( $atts );
 		$feed_url = $this->normalize_urls( $sc['feeds'] );
+		$nonce    = isset( $atts['nonce'] ) ? $atts['nonce'] : '';
+
+		if ( ! wp_verify_nonce( $nonce, $feed_url ) ) {
+			wp_send_json_error( array( 'message' => __( 'Security check failed.', 'feedzy-rss-feeds' ) ) );
+		}
 
 		if ( isset( $sc['filters'] ) && ! empty( $sc['filters'] ) && feedzy_is_pro() ) {
 			$sc['filters'] = apply_filters( 'feedzy_filter_conditions_attribute', $sc['filters'] );

js/feedzy-lazy.js

@@ -40,6 +40,8 @@
                 success: function(data){
                     if(data.success){
                         $feedzy_block.empty().append(data.data.content);
+                    } else {
+                        $feedzy_block.empty().append(data.data.message);
                     }
                 },
                 complete: function(){