admin comment search never resets URL, grows infinitely

[_ck_]

When searching from /wp-admin/edit-comments.php
the URL will grow infinitely and never reset to it's base.

To reproduce this bug, simply search comments several times and then examine the resulting URL )by copying it to an editor). It will be over 1000 characters easily, because it's simply appending the previous searches and previous nonces for no useful reason.

Instead the form should just use /wp-admin/edit-comments.php as it's submit base.

But that form should not be using GET in the first place.

Allowing overly long URLs is also a security problem as it can give a window for XSS attacks.

I wouldn't be surprised if this design flaw exists in other parts of WP admin but I'll leave that up to someone else who has more patience.

Sorry, I need to clarify further details to reproduce.

You need to check some of the resulting checkboxes and search (again).

Try a combination of approving some comments and also searching and the URL will keep growing.

Those checkboxes should NOT be submitted via a GET, that form should most certainly be fixed to use POST for that much data.

Switch to GET was done in #16335 to fix sorting of search results.

All list table search boxes currently use GET with an empty action, so we should be consistent here.

I've tried, but couldn't reproduce the issue yet. My steps:

1. Search for some term to get three or more comments.
2. Approve a couple of comments in search results using Bulk Actions dropdown.
3. Search again (for a different term, or the same, doesn't seem to matter).
4. URL still has only one copy of the query arguments.

Did they seriously switch admin functions that can potentially pass up to several thousand bytes of data to GET via URL just avoid fixing the sort routine with POST?

That is just dumbfounding. It defies all "best practice" programming techniques not to mention the security issues it can create.