Feature gettext#4
Merged
Merged
Conversation
Contributor
|
Thanks! Have merged it with a few minor tweaks. You will need to update your translation as some strings have changed (I removed some URLs from translation). |
alimuzzaman
added a commit
that referenced
this pull request
Mar 29, 2026
Replace Referer-based AJAX context check with capability-based check. Sub-site admins could forge the Referer header to gain network-admin privileges in AJAX handlers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
alimuzzaman
added a commit
that referenced
this pull request
Mar 29, 2026
Fix #4 regression: WordPress is_network_admin() always returns false during AJAX, so the capability checks in disable_comments_settings() and delete_comments_settings() always fell back to manage_options, allowing site admins to still trigger network-wide operations. Also restores network-wide avatar management which was silently broken by the same regression (line 1269 branch never reached). Fix: read formArray before the capability check, derive context from the trusted-and-sanitized is_network_admin POST flag, and gate the avatar network loop on both the flag and manage_network_plugins. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
alimuzzaman
added a commit
that referenced
this pull request
Mar 30, 2026
…S escape - is_network_admin(): refactor to pure context detector — remove current_user_can() cap check, add is_multisite() guard, and add comment explaining callers are responsible for capability checks. Eliminates the HTTP Referer spoofing vector (issue #4). - disable_comments_settings(): replace $formArray['is_network_admin'] with $this->is_network_admin() as the authoritative source for network-admin context, and guard update_site_option() for sitewide_settings behind the same check. Closes the POST-data privilege escalation vector (issue #1). - delete_comments_settings(): replace !empty($formArray['is_network_admin']) with $this->is_network_admin() for the same reason (issue #1/#2). - get_roles(): wrap translate_user_role() output in esc_html() so role names with HTML characters are entity-encoded before being JSON-encoded into the data-options attribute (issue #3 PHP layer). - views/partials/_disable.php: wrap wp_json_encode($roles) in esc_attr() to prevent attribute-context injection even if a raw angle bracket slips through (issue #3 HTML attribute layer). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
1st: gettext support
2nd: German translation (see: https://translate.foe-services.de/projects/disable-comments)
3rd: Link to GitHub-Repo on Plugins page