[wp-hackers] Any other way to do it? (or,
do we really need Nonces?)
Scott Yang
scott.yang at gmail.com
Fri Mar 2 05:59:26 GMT 2007
On 3/2/07, Robert Deaton <false.hopes at gmail.com> wrote:
> > Can't we have some sort of JavaScript action that will load the
> > comment/post ID into a POST form and submit it automagically?
>
> No, it doesn't peacefully degrade for user agents without JS or with
> JS disabled.
Nor does POST *without* nonce protect you from XSS because people can
always set up hidden forms posting to your WP installation in a hidden
frame automatically using Javascript on their own site.
--
Scott Yang <scott.yang at gmail.com>
More information about the wp-hackers
mailing list