[wp-hackers] Rethinking check_admin_referer()

Ryan Boren ryan at boren.nu
Wed Apr 19 05:40:00 GMT 2006

Matt Mullenweg wrote:
> Our first and best line of defense is always going to be around how we 
> filter and display submitted HTML. This can also be easily tightened up 
> without compromising the user experience.

The sole benefit, as I see it, of a nonce/key is to avoid the user 
experience problems created by refer[r]er checks.  I certainly get tired 
of answering the, "Help, how do I enable sending referrers"  questions. 
   It is definitely a bar to entry for many.  Assuming equivalent 
"security", which method means less support overhead and better user 


More information about the wp-hackers mailing list