[wp-hackers] Nonce happy?

Abdussamad Abdurrazzaq abdussamad at abdussamad.com
Mon Aug 12 15:15:06 UTC 2013


It is not a problem if you stick all this functionality in a base class 
that you then extend for each of your meta options:

base: 
http://plugins.svn.wordpress.org/comment-form-message/trunk/includes/abstract.class.abd_meta_option.inc.php

text box: 
http://plugins.svn.wordpress.org/comment-form-message/trunk/includes/class.abd_text_meta_option.inc.php


On 08/12/2013 08:01 PM, Thomas Belknap wrote:
> Reading over a lot of documentation and example code concerning the
> addition of custom fields to the Write Post screen, almost every single one
> includes the requirement to include a nonce field with your data. An
> abundance of caution isn't necessarily a bad thing, but does this not
> strike anyone as a little too much caution?
>
> In terms of what WordPress is using nonces for, the only goal is to make
> sure the data is coming from the correct origin: your website and your
> admin form. Once this task is out of the way, the rest of the POST data
> should be trusted. Yet the convention, at least in terms of example code,
> seems to be to include a nonce for every single custom field.
>
> If WP is making it's own checks on the "Write Post" screen data, don't the
> additional nonces seem superfluous, or am I missing something?
>
> I perfectly understand their value in the context of a custom plugin
> configuration page. But when extending the Write Post screen to incorporate
> all the additional data a custom post type might require, this additional
> nonce data seems like a bit of a headache with very little value.
>


More information about the wp-hackers mailing list