[wp-hackers] Nonce happy?

Thomas Belknap dragonfly at dragonflyeye.net
Mon Aug 12 15:01:41 UTC 2013

Reading over a lot of documentation and example code concerning the
addition of custom fields to the Write Post screen, almost every single one
includes the requirement to include a nonce field with your data. An
abundance of caution isn't necessarily a bad thing, but does this not
strike anyone as a little too much caution?

In terms of what WordPress is using nonces for, the only goal is to make
sure the data is coming from the correct origin: your website and your
admin form. Once this task is out of the way, the rest of the POST data
should be trusted. Yet the convention, at least in terms of example code,
seems to be to include a nonce for every single custom field.

If WP is making it's own checks on the "Write Post" screen data, don't the
additional nonces seem superfluous, or am I missing something?

I perfectly understand their value in the context of a custom plugin
configuration page. But when extending the Write Post screen to incorporate
all the additional data a custom post type might require, this additional
nonce data seems like a bit of a headache with very little value.

Tom Belknap
Owner/Editor, DragonFlyEye.Net
Join me:

   - *Inbox:* http://dragonflyeye.net/subscribe
   - *Web*: http://dragonflyeye.net/
   - *Facebook*: https://www.facebook.com/DragonFlyEye.Net
   - *Twitter*: https://twitter.com/dragonflyeye
   - *Google*: https://plus.google.com/u/1/103251482414903117843/posts

More information about the wp-hackers mailing list