Ticket #11953: 11953.2.diff

wp-includes/functions.php

@@ -1954 +1954 @@
  * offer absolute protection, but should protect against most cases. It is very
  * important to use nonce field in forms.
  *
- * If you set $echo to true and set $referer to true, then you will need to
- * retrieve the {@link wp_referer_field() wp referer field}. If you have the
- * $referer set to true and are echoing the nonce field, it will also echo the
- * referer field.
- *
  * The $action and $name are optional, but if you want to have better security,
  * it is strongly suggested to set those two parameters. It is easier to just
  * call the function without any parameters, because validation of the nonce
@@ -1982 +1977 @@
 function wp_nonce_field( $action = -1, $name = "_wpnonce", $referer = true , $echo = true ) {
         $name = esc_attr( $name );
         $nonce_field = '<input type="hidden" id="' . $name . '" name="' . $name . '" value="' . wp_create_nonce( $action ) . '" />';
-        if ( $echo )
-                echo $nonce_field;
 
         if ( $referer )
-                wp_referer_field( $echo );
+                $nonce_field .= wp_referer_field( false );
 
+        if ( $echo )
+                echo $nonce_field;
+
         return $nonce_field;
 }