Add cache page GET nonces

john-shaffer · john-shaffer · commit a9c597d3796f · 2025-10-23T13:32:47.000-05:00
Add nonces for GET requests to cache pages in WP.org
build. These don't serve any security purpose, but
are required by WP.org.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,9 @@
   "Crawled Files" page with less detail.
 - Improve consistency and screen reader text on
   admin cache pages.
+- Add nonces for GET requests to cache pages in WP.org
+  build. These don't serve any security purpose, but
+  are required by WP.org.
 
 ## 9.4.1 (2025-10-20)
 
diff --git a/src/Controller.php b/src/Controller.php
@@ -286,7 +286,14 @@ public static function adminDetectedFilesDelete(): void {
     public static function adminDetectedFilesShow(): void {
         check_admin_referer( self::getHookName( 'caches_page' ) );
 
-        wp_safe_redirect( self::getAdminUrl( 'detected_files' ) );
+        $nonce = filter_input(
+            INPUT_POST,
+            '_wpnonce',
+            FILTER_SANITIZE_URL,
+        );
+        $admin_url = self::getAdminUrl( 'detected_files' ) . '&_wpnonce=' . $nonce;
+
+        wp_safe_redirect( $admin_url );
         exit;
     }
 
@@ -357,7 +364,12 @@ public static function adminDeployCacheShow(): void {
                 FILTER_SANITIZE_URL,
             )
         );
-        $admin_url = self::getAdminUrl( 'deploy_cache' );
+        $nonce = filter_input(
+            INPUT_POST,
+            '_wpnonce',
+            FILTER_SANITIZE_URL,
+        );
+        $admin_url = self::getAdminUrl( 'deploy_cache' ) . '&_wpnonce=' . $nonce;
         if ( $deploy_namespace !== '' ) {
             wp_safe_redirect(
                 $admin_url . '&deploy_namespace=' . urlencode( $deploy_namespace )
@@ -381,7 +393,14 @@ public static function adminCrawledFilesDelete(): void {
     public static function adminCrawledFilesShow(): void {
         check_admin_referer( self::getHookName( 'caches_page' ) );
 
-        wp_safe_redirect( self::getAdminUrl( 'crawled_files' ) );
+        $nonce = filter_input(
+            INPUT_POST,
+            '_wpnonce',
+            FILTER_SANITIZE_URL,
+        );
+        $admin_url = self::getAdminUrl( 'crawled_files' ) . '&_wpnonce=' . $nonce;
+
+        wp_safe_redirect( $admin_url );
         exit;
     }
 
@@ -397,7 +416,14 @@ public static function adminPostProcessedSiteDelete(): void {
     public static function adminPostProcessedSiteShow(): void {
         check_admin_referer( self::getHookName( 'caches_page' ) );
 
-        wp_safe_redirect( self::getAdminUrl( 'post_processed_site' ) );
+        $nonce = filter_input(
+            INPUT_POST,
+            '_wpnonce',
+            FILTER_SANITIZE_URL,
+        );
+        $admin_url = self::getAdminUrl( 'post_processed_site' ) . '&_wpnonce=' . $nonce;
+
+        wp_safe_redirect( $admin_url );
         exit;
     }
 
diff --git a/src/ViewRenderer.php b/src/ViewRenderer.php
@@ -68,6 +68,20 @@ public static function renderDetectedFiles(): void {
             die( 'Forbidden' );
         }
 
+        if ( defined( 'STATIC_DEPLOY_WP_ORG_MODE' )
+            && STATIC_DEPLOY_WP_ORG_MODE
+        && ! wp_verify_nonce(
+            filter_input(
+                INPUT_GET,
+                '_wpnonce',
+                FILTER_SANITIZE_URL
+            ),
+            Controller::getHookName( 'caches_page' )
+        )
+        ) {
+            wp_die( 'Invalid nonce' );
+        }
+
         $action = filter_input( INPUT_GET, 'action', FILTER_SANITIZE_URL );
         /**
          * @var string[] $url_id
@@ -121,6 +135,20 @@ public static function renderCrawledFiles(): void {
             die( 'Forbidden' );
         }
 
+        if ( defined( 'STATIC_DEPLOY_WP_ORG_MODE' )
+            && STATIC_DEPLOY_WP_ORG_MODE
+        && ! wp_verify_nonce(
+            filter_input(
+                INPUT_GET,
+                '_wpnonce',
+                FILTER_SANITIZE_URL
+            ),
+            Controller::getHookName( 'caches_page' )
+        )
+        ) {
+            wp_die( 'Invalid nonce' );
+        }
+
         $action = filter_input( INPUT_GET, 'action', FILTER_SANITIZE_URL );
         /**
          * @var string[] $url_id
@@ -176,6 +204,20 @@ public static function renderPostProcessedSitePaths(): void {
             die( 'Forbidden' );
         }
 
+        if ( defined( 'STATIC_DEPLOY_WP_ORG_MODE' )
+            && STATIC_DEPLOY_WP_ORG_MODE
+        && ! wp_verify_nonce(
+            filter_input(
+                INPUT_GET,
+                '_wpnonce',
+                FILTER_SANITIZE_URL
+            ),
+            Controller::getHookName( 'caches_page' )
+        )
+        ) {
+            wp_die( 'Invalid nonce' );
+        }
+
         $paths = ProcessedSite::getPaths();
 
         // Apply search
@@ -220,6 +262,20 @@ public static function renderDeployCache(): void {
             die( 'Forbidden' );
         }
 
+        if ( defined( 'STATIC_DEPLOY_WP_ORG_MODE' )
+            && STATIC_DEPLOY_WP_ORG_MODE
+        && ! wp_verify_nonce(
+            filter_input(
+                INPUT_GET,
+                '_wpnonce',
+                FILTER_SANITIZE_URL
+            ),
+            Controller::getHookName( 'caches_page' )
+        )
+        ) {
+            wp_die( 'Invalid nonce' );
+        }
+
         $deploy_namespace = strval(
             filter_input(
                 INPUT_GET,
diff --git a/views/caches-page.php b/views/caches-page.php
@@ -8,6 +8,7 @@
 }
 
 use StaticDeploy\Controller;
+use StaticDeploy\URLHelper;
 
 /**
  * @var mixed[] $view
@@ -67,6 +68,11 @@
     }'
 );
 
+$uri = URLHelper::getCurrent();
+if ( defined( 'STATIC_DEPLOY_WP_ORG_MODE' ) && STATIC_DEPLOY_WP_ORG_MODE ) {
+    $uri = URLHelper::modifyUrl( [ '_wpnonce' => wp_create_nonce( strval( $view['nonce_action'] ) ) ], $uri );
+}
+
 ?>
 
 <div class="wrap">
diff --git a/views/files-paginated-page.php b/views/files-paginated-page.php
@@ -7,6 +7,7 @@
     exit;
 }
 
+use StaticDeploy\Controller;
 use StaticDeploy\URLHelper;
 
 /**
@@ -43,6 +44,12 @@
  */
 $paginator_last_page = $view['paginatorLastPage'];
 
+$uri = URLHelper::getCurrent();
+if ( defined( 'STATIC_DEPLOY_WP_ORG_MODE' ) && STATIC_DEPLOY_WP_ORG_MODE ) {
+    $nonce = wp_create_nonce( Controller::getHookName( 'caches_page' ) );
+    $uri = URLHelper::modifyUrl( [ '_wpnonce' => $nonce ], $uri );
+}
+
 ?>
 
 <div class="wrap">
@@ -77,8 +84,8 @@
                         <span class="tablenav-pages-navspan button disabled" aria-hidden="true">«</span>
                         <span class="tablenav-pages-navspan button disabled" aria-hidden="true">‹</span>
                     <?php else : ?>
-                        <a class="first-page button" href="<?php echo esc_url( URLHelper::modifyUrl( [ 'paged' => 1 ] ) ); ?>"><span class="screen-reader-text">First page</span><span aria-hidden="true">«</span></a>
-                        <a class="prev-page button" href="<?php echo esc_url( URLHelper::modifyUrl( [ 'paged' => $paginator_page - 1 ] ) ); ?>"><span class="screen-reader-text">Previous page</span><span aria-hidden="true">‹</span></a>
+                        <a class="first-page button" href="<?php echo esc_url( URLHelper::modifyUrl( [ 'paged' => 1 ], $uri ) ); ?>"><span class="screen-reader-text">First page</span><span aria-hidden="true">«</span></a>
+                        <a class="prev-page button" href="<?php echo esc_url( URLHelper::modifyUrl( [ 'paged' => $paginator_page - 1 ], $uri ) ); ?>"><span class="screen-reader-text">Previous page</span><span aria-hidden="true">‹</span></a>
                     <?php endif; ?>
                     <span class="paging-input">
                         <label for="current-page-selector" class="screen-reader-text">Current Page</label>
@@ -91,8 +98,8 @@
                         <span class="tablenav-pages-navspan button disabled" aria-hidden="true">›</span>
                         <span class="tablenav-pages-navspan button disabled" aria-hidden="true">»</span>
                     <?php else : ?>
-                        <a class="next-page button" href="<?php echo esc_url( URLHelper::modifyUrl( [ 'paged' => $paginator_page + 1 ] ) ); ?>"><span class="screen-reader-text">Next page</span><span aria-hidden="true">›</span></a>
-                        <a class="last-page button" href="<?php echo esc_url( URLHelper::modifyUrl( [ 'paged' => $paginator_last_page ] ) ); ?>"><span class="screen-reader-text">Last page</span><span aria-hidden="true">»</span></a>
+                        <a class="next-page button" href="<?php echo esc_url( URLHelper::modifyUrl( [ 'paged' => $paginator_page + 1 ], $uri ) ); ?>"><span class="screen-reader-text">Next page</span><span aria-hidden="true">›</span></a>
+                        <a class="last-page button" href="<?php echo esc_url( URLHelper::modifyUrl( [ 'paged' => $paginator_last_page ], $uri ) ); ?>"><span class="screen-reader-text">Last page</span><span aria-hidden="true">»</span></a>
                     <?php endif; ?>
                 </span>
             </div>
