[wp-hackers] Security at Wordpress

Paul Mitchell wp-hackers at paul-mitchell.me.uk
Mon Apr 24 17:20:47 GMT 2006

Ryan Scheuermann wrote:
> I mean, using a checkbox form for post delete solves a lot of the
> current issues:
> 1. post/page delete uses POST and HTTP spec is not violated!  hay!
> 2. no worries about a consistent looking form button across browsers
> if there is only 1 on the bottom of the page
> 3. no need for nonces if the delete action requires POST
> 4. no security issues because links can't POST (security being the
> original concern of this thread)
> 5. adds new functionality for mass delete of posts (even if not needed)
> 6. no accidental deletions with Javascript disabled/missing
> 7. follows a widely accepted and user-friendly model for web applications
> Are there any other angles we haven't thought of?
Not sure about 3. I think the nonces are a good idea, arguments about
implementation aside They create a verifiable relationship between cause
and effect in the interface, beyond form and method.

Would AJAX work with this approach? If so, that would be my number 3.
Multiple deleted posts could disappear one-at-a-time with that cool
"fade-out, slide-up" effect.


More information about the wp-hackers mailing list