[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Scott Yang scott.yang at gmail.com
Fri Mar 2 05:59:26 GMT 2007

On 3/2/07, Robert Deaton <false.hopes at gmail.com> wrote:
> > Can't we have some sort of JavaScript action that will load the
> > comment/post ID into a POST form and submit it automagically?
> No, it doesn't peacefully degrade for user agents without JS or with
> JS disabled.

Nor does POST *without* nonce protect you from XSS because people can
always set up hidden forms posting to your WP installation in a hidden
frame automatically using Javascript on their own site.

Scott Yang <scott.yang at gmail.com>

More information about the wp-hackers mailing list