[wp-hackers] Nonce happy?

Stephen Harris contact at stephenharris.info
Mon Aug 12 15:24:23 UTC 2013

Usually when handling custom metaboxes you can't be sure of $_POST even 
when WordPress has checked nonces - since typically the callback is run 
on 'save_post' which is a general hook not specific to the user clicking 
'publish'. There might not even been any data from your metabox. Since 
any plug-in can directly/indirectly trigger 'save_post' with or without 
any appropriate nonce checks its best to err on the side.

With regards to adding a nonce for each field - that is overkill, but 
you should add a nonce for each metabox. Because metaboxes can be 
removed, you cannot assume that any particular metabox will be present 
with which to check its nonce.

> Reading over a lot of documentation and example code concerning the
> addition of custom fields to the Write Post screen, almost every single one
> includes the requirement to include a nonce field with your data. An
> abundance of caution isn't necessarily a bad thing, but does this not
> strike anyone as a little too much caution?
> In terms of what WordPress is using nonces for, the only goal is to make
> sure the data is coming from the correct origin: your website and your
> admin form. Once this task is out of the way, the rest of the POST data
> should be trusted. Yet the convention, at least in terms of example code,
> seems to be to include a nonce for every single custom field.
> If WP is making it's own checks on the "Write Post" screen data, don't the
> additional nonces seem superfluous, or am I missing something?
> I perfectly understand their value in the context of a custom plugin
> configuration page. But when extending the Write Post screen to incorporate
> all the additional data a custom post type might require, this additional
> nonce data seems like a bit of a headache with very little value.

More information about the wp-hackers mailing list