[wp-hackers] Security at Wordpress

Owen Winkler ringmaster at midnightcircus.com
Mon Apr 24 18:55:35 GMT 2006

David House wrote:
> And thus, anyone that says switching to POST is a magic bullet needs
> to rethink their views. Switching is _not_ a less complex solution, as
> it would have to be introduced on top of nonces anyway.

Thank you for helping me say this more succinctly.

> However, I am a standards-are-good kind of guy and I would like to see
> a solution where we use POST wherever possible, with GET only as a
> fallback. Andrew K showed us that the UI hit is somewhat negligible
> (although a proper cross-browser solution is a prerequisite), so you
> have my +1 here. Basically, I don't see any advantage or disadvantage
> of either POST or GET.

If someone can offer a patch that switches actions to POST I would be 
happy to see it, provided:

1) It doesn't affect the ability to moderate comments via GET links in 
email notifications.
2) It maintains internally consistent UI throughout WordPress.

The sample page Andrew provided is not bad, but there are still some 
issues with consistency in Safari.  I don't know that there is a 
workaround.  The ones suggested previously didn't work for me; maybe I 
missed one.


More information about the wp-hackers mailing list