[wp-hackers] Security at Wordpress

David Chait davebytes at comcast.net
Mon Apr 24 20:10:08 GMT 2006

Is it allowed to require a AYS (i.e. POST-ed form) to validate the approval? 
Otherwise, I gotta agree with folks, we seem to be specifically leaving open 
a 'GET hole', which breaks the whole "switch to POSTs everywhere they should 

I'd personally prefer the moderate-by-email thing take me to the 
comments-for-that-post page, and let me then moderate from there.  I find I 
don't necessarily want to just approve/delete, I want to see the context of 
comments.  And then that page would (of course) be moving to POST-ed 


----- Original Message ----- 
Owen Winkler wrote
| If someone can offer a patch that switches actions to POST I would be
| happy to see it, provided:
| 1) It doesn't affect the ability to moderate comments via GET links in
| email notifications.

More information about the wp-hackers mailing list