[wp-hackers] Security at Wordpress

Ryan Scheuermann ryan at concept64.com
Mon Apr 24 15:44:35 GMT 2006


Rob Mientjes wrote:
> On 24/04/06, Ryan Scheuermann <ryan at concept64.com> wrote:
>   
>> Really, it's just a difference between two clicks or one.   Mass delete
>> may not be "needed" but it's certainly giving the user an ability they
>> didn't have before.  And it does solve the problem of making the Delete
>> action distinct from the Edit link.
>>     
>
> Okay, that makes sense. You're quite right, in fact. I don't see why
> this specific change can't be implemented. This needs no confirmation
> e-mails or other silliness; post delete deserves POST.
>
> -Rob.
>   
I mean, using a checkbox form for post delete solves a lot of the 
current issues:

1. post/page delete uses POST and HTTP spec is not violated!  hay!
2. no worries about a consistent looking form button across browsers if 
there is only 1 on the bottom of the page
3. no need for nonces if the delete action requires POST
4. no security issues because links can't POST (security being the 
original concern of this thread)
5. adds new functionality for mass delete of posts (even if not needed)
6. no accidental deletions with Javascript disabled/missing
7. follows a widely accepted and user-friendly model for web applications

Are there any other angles we haven't thought of?

Ryan


More information about the wp-hackers mailing list