[wp-hackers] Any other way to do it? (or, do we really need
jeremy.visser at gmail.com
Sat Mar 3 03:30:21 GMT 2007
Elliotte Harold wrote:
> We've been down this road before. Believe it or not the answer seems to
> be so WP can style the buttons and links a certain way, nothing more.
This sounds like a _really_ bad reason to do so. (Perhaps even against
It is really not hard to style a <button> or <input> like a link:
input[type=submit], input[type=button], input[type=reset],
> It really is broken, and is going to continue to be a cause of security
> holes, but I have personally despaired of this being fixed short of a fork.
It is not going to eliminate security holes. Even on POST forms, you
still need the nonce:
<input type="hidden" name="nonce" value="_deadbeef" />
But with the POST forms, at least it stops a rogue prefetching program
like Google Web Accelerator from randomly deleting posts/comments.
Well, I have to admit GWA isn't a problem anymore, as it's hardcoded not
to prefetch links that contain a '?' in them. Apparently, Backpack users
complained of things disappearing by themselves, and they narrowed down
the cause to GWA.
More information about the wp-hackers