From 2889ba33e29614b070fb641d87ec9be632e2bd48 Mon Sep 17 00:00:00 2001
From: David Walsh <davidwalsh83@gmail.com>
Date: Wed, 9 Mar 2016 12:35:04 -0600
Subject: [PATCH] Add nonce to admin save

---
 wp-offline-shell/wp-offline-shell-admin.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/wp-offline-shell/wp-offline-shell-admin.php b/wp-offline-shell/wp-offline-shell-admin.php
index d6c3833..9a3a91a 100644
--- a/wp-offline-shell/wp-offline-shell-admin.php
+++ b/wp-offline-shell/wp-offline-shell-admin.php
@@ -22,8 +22,9 @@ class Offline_Shell_Admin {
   public function get_files_ajax() {
     // If they've asked for files, just output the file HTML
     if(isset($_POST['data']) && $_POST['data'] === 'files') {
-      echo $this->options_files();
+      $this->options_files();
     }
+    exit();
   }
 
   public function process_options() {
@@ -31,6 +32,9 @@ class Offline_Shell_Admin {
       return false;
     }
 
+    // Check nonce to avoid hacks
+    check_admin_referer('offline-shell-admin');
+
     // Update "enabled" status
     update_option('offline_shell_enabled', isset($_POST['offline_shell_enabled']) ? intval($_POST['offline_shell_enabled']) : 0);
 
@@ -188,6 +192,7 @@ class Offline_Shell_Admin {
     </div>
     <input type="hidden" name="offline_shell_files_loaded" id="offline_shell_files_loaded" value="0">
 
+    <?php wp_nonce_field('offline-shell-admin'); ?>
     <?php submit_button(__('Save Changes'), 'primary'); ?>
   </form>