WordPress.org

Make WordPress Core

Ticket #23165: 23165.approach-c.patch

File 23165.approach-c.patch, 63.5 KB (added by bpetty, 5 years ago)
  • wp-admin/comment.php

    diff --git wp-admin/comment.php wp-admin/comment.php
    index de5483e..e88c310 100644
    if ( $comment->comment_approved != '0' ) { // if not unapproved 
    191191</tr>
    192192</table>
    193193
    194 <?php wp_nonce_field( $nonce_action ); ?>
     194<?php wp_nonce_field( array( 'action' => $nonce_action ) ); ?>
    195195<input type='hidden' name='action' value='<?php echo esc_attr($formaction); ?>' />
    196196<input type='hidden' name='c' value='<?php echo esc_attr($comment->comment_ID); ?>' />
    197197<input type='hidden' name='noredir' value='1' />
  • wp-admin/custom-background.php

    diff --git wp-admin/custom-background.php wp-admin/custom-background.php
    index a924eca..8d29874 100644
    if ( get_background_image() ) { 
    223223<th scope="row"><?php _e('Remove Image'); ?></th>
    224224<td>
    225225<form method="post" action="">
    226 <?php wp_nonce_field('custom-background-remove', '_wpnonce-custom-background-remove'); ?>
     226<?php wp_nonce_field( array( 'action' => 'custom-background-remove',
     227                                                         'name' => '_wpnonce-custom-background-remove' ) ); ?>
    227228<?php submit_button( __( 'Remove Background Image' ), 'button', 'remove-background', false ); ?><br/>
    228229<?php _e('This will remove the background image. You will not be able to restore any customizations.') ?>
    229230</form>
    if ( get_background_image() ) { 
    237238<th scope="row"><?php _e('Restore Original Image'); ?></th>
    238239<td>
    239240<form method="post" action="">
    240 <?php wp_nonce_field('custom-background-reset', '_wpnonce-custom-background-reset'); ?>
     241<?php wp_nonce_field( array( 'action' => 'custom-background-reset',
     242                                                         'name' => '_wpnonce-custom-background-reset' ) ); ?>
    241243<?php submit_button( __( 'Restore Original Image' ), 'button', 'reset-background', false ); ?><br/>
    242244<?php _e('This will restore the original background image. You will not be able to restore any customizations.') ?>
    243245</form>
    if ( get_background_image() ) { 
    252254                <label for="upload"><?php _e( 'Choose an image from your computer:' ); ?></label><br />
    253255                <input type="file" id="upload" name="import" />
    254256                <input type="hidden" name="action" value="save" />
    255                 <?php wp_nonce_field( 'custom-background-upload', '_wpnonce-custom-background-upload' ); ?>
     257                <?php wp_nonce_field( array( 'action' => 'custom-background-upload',
     258                                                                         'name' => '_wpnonce-custom-background-upload' ) ); ?>
    256259                <?php submit_button( __( 'Upload' ), 'button', 'submit', false ); ?>
    257260        </p>
    258261        <p>
    if ( current_theme_supports( 'custom-background', 'default-color' ) ) 
    328331</tbody>
    329332</table>
    330333
    331 <?php wp_nonce_field('custom-background'); ?>
     334<?php wp_nonce_field( array( 'action' => 'custom-background' ) ); ?>
    332335<?php submit_button( null, 'primary', 'save-background-options' ); ?>
    333336</form>
    334337
  • wp-admin/custom-header.php

    diff --git wp-admin/custom-header.php wp-admin/custom-header.php
    index 14f01df..966d777 100644
    class Custom_Image_Header { 
    517517                <label for="upload"><?php _e( 'Choose an image from your computer:' ); ?></label><br />
    518518                <input type="file" id="upload" name="import" />
    519519                <input type="hidden" name="action" value="save" />
    520                 <?php wp_nonce_field( 'custom-header-upload', '_wpnonce-custom-header-upload' ); ?>
     520                <?php wp_nonce_field( array( 'action' => 'custom-header-upload',
     521                                                                         'name' => '_wpnonce-custom-header-upload' ) ); ?>
    521522                <?php submit_button( __( 'Upload' ), 'button', 'submit', false ); ?>
    522523        </p>
    523524        <?php
    if ( current_theme_supports( 'custom-header', 'default-text-color' ) ) { 
    632633
    633634do_action( 'custom_header_options' );
    634635
    635 wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
     636wp_nonce_field( array( 'action' => 'custom-header-options',
     637                                           'name' => '_wpnonce-custom-header-options' ) ); ?>
    636638
    637639<?php submit_button( null, 'primary', 'save-header-options' ); ?>
    638640</form>
    wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?> 
    726728        <?php if ( empty( $_POST ) && isset( $_GET['file'] ) ) { ?>
    727729        <input type="hidden" name="create-new-attachment" value="true" />
    728730        <?php } ?>
    729         <?php wp_nonce_field( 'custom-header-crop-image' ) ?>
     731        <?php wp_nonce_field( array( 'action' => 'custom-header-crop-image' ) ); ?>
    730732
    731733        <p class="submit">
    732734        <?php submit_button( __( 'Crop and Publish' ), 'primary', 'submit', false ); ?>
  • wp-admin/edit-form-advanced.php

    diff --git wp-admin/edit-form-advanced.php wp-admin/edit-form-advanced.php
    index 7d142d9..b353313 100644
    if ( isset( $post_new_file ) && current_user_can( $post_type_object->cap->create 
    297297<div id="message" class="updated"><p><?php echo $message; ?></p></div>
    298298<?php endif; ?>
    299299<form name="post" action="post.php" method="post" id="post"<?php do_action('post_edit_form_tag'); ?>>
    300 <?php wp_nonce_field($nonce_action); ?>
     300<?php wp_nonce_field( array( 'action' => $nonce_action ) ); ?>
    301301<input type="hidden" id="user-id" name="user_ID" value="<?php echo (int) $user_ID ?>" />
    302302<input type="hidden" id="hiddenaction" name="action" value="<?php echo esc_attr( $form_action ) ?>" />
    303303<input type="hidden" id="originalaction" name="originalaction" value="<?php echo esc_attr( $form_action ) ?>" />
    if ( 'draft' != get_post_status( $post ) ) 
    314314
    315315echo $form_extra;
    316316
    317 wp_nonce_field( 'autosave', 'autosavenonce', false );
    318 wp_nonce_field( 'meta-box-order', 'meta-box-order-nonce', false );
    319 wp_nonce_field( 'closedpostboxes', 'closedpostboxesnonce', false );
     317wp_nonce_field( array( 'action'   => 'autosave',
     318                                           'name'     => 'autosavenonce',
     319                                           'id'       => 'autosavenonce',
     320                                           'referrer' => false ) );
     321wp_nonce_field( array( 'action'   => 'meta-box-order',
     322                                           'name'     => 'meta-box-order-nonce',
     323                                           'referrer' => false ) );
     324wp_nonce_field( array( 'action'   => 'closedpostboxes',
     325                                           'name'     => 'closedpostboxesnonce',
     326                                           'id'       => 'closedpostboxesnonce',
     327                                           'referrer' => false ) );
    320328?>
    321329
    322330<div id="poststuff">
    if ( $post_type_object->public && ! ( 'pending' == get_post_status( $post ) && ! 
    348356?>
    349357</div>
    350358<?php
    351 wp_nonce_field( 'samplepermalink', 'samplepermalinknonce', false );
     359wp_nonce_field( array( 'action'   => 'samplepermalink',
     360                                           'name'     => 'samplepermalinknonce',
     361                                           'id'       => 'samplepermalinknonce',
     362                                           'referrer' => false ) );
    352363?>
    353364</div><!-- /titlediv -->
    354365<?php
  • wp-admin/edit-form-comment.php

    diff --git wp-admin/edit-form-comment.php wp-admin/edit-form-comment.php
    index 14a2966..94e22ea 100644
    if ( !defined('ABSPATH') ) 
    1111        die('-1');
    1212?>
    1313<form name="post" action="comment.php" method="post" id="post">
    14 <?php wp_nonce_field('update-comment_' . $comment->comment_ID) ?>
     14<?php wp_nonce_field( array( 'action' => 'update-comment_' . $comment->comment_ID, 'id' => '_wpnonce' ) ); ?>
    1515<div class="wrap">
    1616<?php screen_icon(); ?>
    1717<h2><?php _e('Edit Comment'); ?></h2>
    if ( !defined('ABSPATH') ) 
    6262</div>
    6363
    6464<div id="postdiv" class="postarea">
    65 <?php
     65        <?php
    6666        $quicktags_settings = array( 'buttons' => 'strong,em,link,block,del,ins,img,ul,ol,li,code,spell,close' );
    6767        wp_editor( $comment->comment_content, 'content', array( 'media_buttons' => false, 'tinymce' => false, 'quicktags' => $quicktags_settings ) );
    68         wp_nonce_field( 'closedpostboxes', 'closedpostboxesnonce', false ); ?>
     68        wp_nonce_field( array( 'action'   => 'closedpostboxes',
     69                                                   'name'     => 'closedpostboxesnonce',
     70                                                   'id'       => 'closedpostboxesnonce',
     71                                                   'referrer' => false ) );
     72        ?>
    6973</div>
    7074</div><!-- /post-body-content -->
    7175
  • wp-admin/edit-link-form.php

    diff --git wp-admin/edit-link-form.php wp-admin/edit-link-form.php
    index 6d81ec0..0af5273 100644
    if ( !empty($form) ) 
    7171if ( !empty($link_added) )
    7272        echo $link_added;
    7373
    74 wp_nonce_field( $nonce_action );
    75 wp_nonce_field( 'closedpostboxes', 'closedpostboxesnonce', false );
    76 wp_nonce_field( 'meta-box-order', 'meta-box-order-nonce', false ); ?>
     74wp_nonce_field( array( 'action' => $nonce_action ) );
     75wp_nonce_field( array( 'action'   => 'closedpostboxes',
     76                                           'name'     => 'closedpostboxesnonce',
     77                                           'id'       => 'closedpostboxesnonce',
     78                                           'referrer' => false ) );
     79wp_nonce_field( array( 'action'   => 'meta-box-order',
     80                                           'name'     => 'meta-box-order-nonce',
     81                                           'referrer' => false ) ); ?>
    7782
    7883<div id="poststuff">
    7984
  • wp-admin/edit-tag-form.php

    diff --git wp-admin/edit-tag-form.php wp-admin/edit-tag-form.php
    index 034642a..d25c332 100644
    do_action($taxonomy . '_pre_edit_form', $tag, $taxonomy); ?> 
    3434<input type="hidden" name="action" value="editedtag" />
    3535<input type="hidden" name="tag_ID" value="<?php echo esc_attr($tag->term_id) ?>" />
    3636<input type="hidden" name="taxonomy" value="<?php echo esc_attr($taxonomy) ?>" />
    37 <?php wp_original_referer_field(true, 'previous'); wp_nonce_field('update-tag_' . $tag_ID); ?>
     37<?php wp_original_referer_field(true, 'previous'); wp_nonce_field( array( 'action' => 'update-tag_' . $tag_ID ) ); ?>
    3838        <table class="form-table">
    3939                <tr class="form-field form-required">
    4040                        <th scope="row" valign="top"><label for="name"><?php _ex('Name', 'Taxonomy Name'); ?></label></th>
  • wp-admin/edit-tags.php

    diff --git wp-admin/edit-tags.php wp-admin/edit-tags.php
    index 7250a66..6a615a2 100644
    if ( current_user_can($tax->cap->edit_terms) ) { 
    354354<input type="hidden" name="screen" value="<?php echo esc_attr($current_screen->id); ?>" />
    355355<input type="hidden" name="taxonomy" value="<?php echo esc_attr($taxonomy); ?>" />
    356356<input type="hidden" name="post_type" value="<?php echo esc_attr($post_type); ?>" />
    357 <?php wp_nonce_field('add-tag', '_wpnonce_add-tag'); ?>
     357<?php wp_nonce_field( array( 'action' => 'add-tag',
     358                                                         'name'   => '_wpnonce_add-tag' ) ); ?>
    358359
    359360<div class="form-field form-required">
    360361        <label for="tag-name"><?php _ex('Name', 'Taxonomy Name'); ?></label>
  • wp-admin/includes/class-wp-comments-list-table.php

    diff --git wp-admin/includes/class-wp-comments-list-table.php wp-admin/includes/class-wp-comments-list-table.php
    index cf0ab88..6b1b571 100644
    class WP_Comments_List_Table extends WP_List_Table { 
    231231                }
    232232
    233233                if ( ( 'spam' == $comment_status || 'trash' == $comment_status ) && current_user_can( 'moderate_comments' ) ) {
    234                         wp_nonce_field( 'bulk-destroy', '_destroy_nonce' );
    235234                        $title = ( 'spam' == $comment_status ) ? esc_attr__( 'Empty Spam' ) : esc_attr__( 'Empty Trash' );
    236235                        submit_button( $title, 'apply', 'delete_all', false );
    237236                }
    class WP_Comments_List_Table extends WP_List_Table { 
    273272        function display() {
    274273                extract( $this->_args );
    275274
    276                 wp_nonce_field( "fetch-list-" . get_class( $this ), '_ajax_fetch_list_nonce' );
     275                wp_nonce_field( array( 'action' => 'fetch-list-' . get_class( $this ),
     276                                                           'name' => '_ajax_fetch_list_nonce' ) );
    277277
    278278                $this->display_tablenav( 'top' );
    279279
    class WP_Post_Comments_List_Table extends WP_Comments_List_Table { 
    549549        function display( $output_empty = false ) {
    550550                extract( $this->_args );
    551551
    552                 wp_nonce_field( "fetch-list-" . get_class( $this ), '_ajax_fetch_list_nonce' );
     552                wp_nonce_field( array( 'action' => 'fetch-list-' . get_class( $this ),
     553                                                           'name' => '_ajax_fetch_list_nonce' ) );
    553554?>
    554555<table class="<?php echo implode( ' ', $this->get_table_classes() ); ?>" cellspacing="0" style="display:none;">
    555556        <tbody id="the-comment-list"<?php if ( $singular ) echo " data-wp-lists='list:$singular'"; ?>>
  • wp-admin/includes/class-wp-list-table.php

    diff --git wp-admin/includes/class-wp-list-table.php wp-admin/includes/class-wp-list-table.php
    index 8c91c70..7100916 100644
    class WP_List_Table { 
    760760         */
    761761        function display_tablenav( $which ) {
    762762                if ( 'top' == $which )
    763                         wp_nonce_field( 'bulk-' . $this->_args['plural'] );
     763                        wp_nonce_field( array( 'action' => 'bulk-' . $this->_args['plural'] ) );
    764764?>
    765765        <div class="tablenav <?php echo esc_attr( $which ); ?>">
    766766
  • wp-admin/includes/class-wp-posts-list-table.php

    diff --git wp-admin/includes/class-wp-posts-list-table.php wp-admin/includes/class-wp-posts-list-table.php
    index c772fa6..c41d22d 100644
    class WP_Posts_List_Table extends WP_List_Table { 
    10371037                <p class="submit inline-edit-save">
    10381038                        <a accesskey="c" href="#inline-edit" title="<?php esc_attr_e( 'Cancel' ); ?>" class="button-secondary cancel alignleft"><?php _e( 'Cancel' ); ?></a>
    10391039                        <?php if ( ! $bulk ) {
    1040                                 wp_nonce_field( 'inlineeditnonce', '_inline_edit', false );
     1040                                wp_nonce_field( array( 'action' => 'inlineeditnonce',
     1041                                                                           'name' => '_inline_edit',
     1042                                                                           'referrer' => false ) );
    10411043                                $update_text = __( 'Update' );
    10421044                                ?>
    10431045                                <a accesskey="s" href="#inline-edit" title="<?php esc_attr_e( 'Update' ); ?>" class="button-primary save alignright"><?php echo esc_attr( $update_text ); ?></a>
  • wp-admin/includes/class-wp-terms-list-table.php

    diff --git wp-admin/includes/class-wp-terms-list-table.php wp-admin/includes/class-wp-terms-list-table.php
    index 8501010..8c10951 100644
    class WP_Terms_List_Table extends WP_List_Table { 
    366366                        <a accesskey="s" href="#inline-edit" title="<?php echo esc_attr( $update_text ); ?>" class="save button-primary alignright"><?php echo $update_text; ?></a>
    367367                        <span class="spinner"></span>
    368368                        <span class="error" style="display:none;"></span>
    369                         <?php wp_nonce_field( 'taxinlineeditnonce', '_inline_edit', false ); ?>
     369                        <?php wp_nonce_field( array( 'action' => 'taxinlineeditnonce',
     370                                                                                 'name' => '_inline_edit',
     371                                                                                 'referrer' => false ) ); ?>
    370372                        <input type="hidden" name="taxonomy" value="<?php echo esc_attr( $this->screen->taxonomy ); ?>" />
    371373                        <input type="hidden" name="post_type" value="<?php echo esc_attr( $this->screen->post_type ); ?>" />
    372374                        <br class="clear" />
  • wp-admin/includes/class-wp-theme-install-list-table.php

    diff --git wp-admin/includes/class-wp-theme-install-list-table.php wp-admin/includes/class-wp-theme-install-list-table.php
    index 8aa8929..0e1a588 100644
    class WP_Theme_Install_List_Table extends WP_Themes_List_Table { 
    127127        }
    128128
    129129        function display() {
    130                 wp_nonce_field( "fetch-list-" . get_class( $this ), '_ajax_fetch_list_nonce' );
     130                wp_nonce_field( array( 'action' => 'fetch-list-' . get_class( $this ),
     131                                                           'name' => '_ajax_fetch_list_nonce' ) );
    131132?>
    132133                <div class="tablenav top themes">
    133134                        <div class="alignleft actions">
  • wp-admin/includes/class-wp-themes-list-table.php

    diff --git wp-admin/includes/class-wp-themes-list-table.php wp-admin/includes/class-wp-themes-list-table.php
    index 420495e..c43c2d8 100644
    class WP_Themes_List_Table extends WP_List_Table { 
    9898        }
    9999
    100100        function display() {
    101                 wp_nonce_field( "fetch-list-" . get_class( $this ), '_ajax_fetch_list_nonce' );
     101                wp_nonce_field( array( 'action' => 'fetch-list-' . get_class( $this ),
     102                                                           'name' => '_ajax_fetch_list_nonce' ) );
    102103?>
    103104                <?php $this->tablenav( 'top' ); ?>
    104105
  • wp-admin/includes/dashboard.php

    diff --git wp-admin/includes/dashboard.php wp-admin/includes/dashboard.php
    index 0df8109..c8917b2 100644
    function wp_add_dashboard_widget( $widget_id, $widget_name, $callback, $control_ 
    183183function _wp_dashboard_control_callback( $dashboard, $meta_box ) {
    184184        echo '<form action="" method="post" class="dashboard-widget-control-form">';
    185185        wp_dashboard_trigger_widget_control( $meta_box['id'] );
    186         wp_nonce_field( 'edit-dashboard-widget_' . $meta_box['id'], 'dashboard-widget-nonce' );
     186        wp_nonce_field( array( 'action' => 'edit-dashboard-widget_' . $meta_box['id'],
     187                                                   'name' => 'dashboard-widget-nonce' ) );
    187188        echo '<input type="hidden" name="widget_id" value="' . esc_attr($meta_box['id']) . '" />';
    188189        submit_button( __('Submit') );
    189190        echo '</form>';
    function wp_dashboard() { 
    215216</div>
    216217
    217218<?php
    218         wp_nonce_field( 'closedpostboxes', 'closedpostboxesnonce', false );
    219         wp_nonce_field( 'meta-box-order', 'meta-box-order-nonce', false );
     219        wp_nonce_field( array( 'action' => 'closedpostboxes',
     220                                                   'name' => 'closedpostboxesnonce',
     221                                                   'id' => 'closedpostboxesnonce',
     222                                                   'referrer' => false ) );
     223        wp_nonce_field( array( 'action'   => 'meta-box-order',
     224                                                   'name'     => 'meta-box-order-nonce',
     225                                                   'referrer' => false ) );
    220226
    221227}
    222228
    function wp_dashboard_quick_press() { 
    557563                        <input type="hidden" name="action" id="quickpost-action" value="post-quickpress-save" />
    558564                        <input type="hidden" name="post_ID" value="<?php echo $post_ID; ?>" />
    559565                        <input type="hidden" name="post_type" value="post" />
    560                         <?php wp_nonce_field('add-post'); ?>
     566                        <?php wp_nonce_field( array( 'action' => 'add-post' ) ); ?>
    561567                        <?php submit_button( __( 'Save Draft' ), 'button', 'save', false, array( 'id' => 'save-post' ) ); ?>
    562568                        <input type="reset" value="<?php esc_attr_e( 'Reset' ); ?>" class="button" />
    563569                        <br class="clear" />
  • wp-admin/includes/media.php

    diff --git wp-admin/includes/media.php wp-admin/includes/media.php
    index beb3dcc..f8481f8 100644
    function media_upload_type_form($type = 'file', $errors = null, $id = null) { 
    16021602<form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
    16031603<?php submit_button( '', 'hidden', 'save', false ); ?>
    16041604<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
    1605 <?php wp_nonce_field('media-form'); ?>
     1605<?php wp_nonce_field( array( 'action' => 'media-form' ) ); ?>
    16061606
    16071607<h3 class="media-title"><?php _e('Add media files from your computer'); ?></h3>
    16081608
    function media_upload_type_url_form($type = null, $errors = null, $id = null) { 
    16661666
    16671667<form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
    16681668<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
    1669 <?php wp_nonce_field('media-form'); ?>
     1669<?php wp_nonce_field( array( 'action' => 'media-form' ) ); ?>
    16701670
    16711671<h3 class="media-title"><?php _e('Insert media from another website'); ?></h3>
    16721672
    jQuery(function($){ 
    18161816<a href="#" id="clear"><?php _ex('Clear', 'verb'); ?></a>
    18171817</div>
    18181818<form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="gallery-form">
    1819 <?php wp_nonce_field('media-form'); ?>
     1819<?php wp_nonce_field( array( 'action' => 'media-form' ) ); ?>
    18201820<?php //media_upload_form( $errors ); ?>
    18211821<table class="widefat" cellspacing="0">
    18221822<thead><tr>
    foreach ($arc_result as $arc_row) { 
    20572057
    20582058<form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="library-form">
    20592059
    2060 <?php wp_nonce_field('media-form'); ?>
     2060<?php wp_nonce_field( array( 'action' => 'media-form' ) ); ?>
    20612061<?php //media_upload_form( $errors ); ?>
    20622062
    20632063<script type="text/javascript">
  • wp-admin/includes/meta-boxes.php

    diff --git wp-admin/includes/meta-boxes.php wp-admin/includes/meta-boxes.php
    index 2b0b286..4af76ab 100644
    function post_categories_meta_box( $post, $box ) { 
    421421                                        </label>
    422422                                        <?php wp_dropdown_categories( array( 'taxonomy' => $taxonomy, 'hide_empty' => 0, 'name' => 'new'.$taxonomy.'_parent', 'orderby' => 'name', 'hierarchical' => 1, 'show_option_none' => '&mdash; ' . $tax->labels->parent_item . ' &mdash;' ) ); ?>
    423423                                        <input type="button" id="<?php echo $taxonomy; ?>-add-submit" data-wp-lists="add:<?php echo $taxonomy ?>checklist:<?php echo $taxonomy ?>-add" class="button category-add-submit" value="<?php echo esc_attr( $tax->labels->add_new_item ); ?>" />
    424                                         <?php wp_nonce_field( 'add-'.$taxonomy, '_ajax_nonce-add-'.$taxonomy, false ); ?>
     424                                        <?php wp_nonce_field( array( 'action' => 'add-'.$taxonomy,
     425                                                                                                 'name' => '_ajax_nonce-add-'.$taxonomy,
     426                                                                                                 'referrer' => false ) ); ?>
    425427                                        <span id="<?php echo $taxonomy; ?>-ajax-response"></span>
    426428                                </p>
    427429                        </div>
    function post_comment_meta_box_thead($result) { 
    535537function post_comment_meta_box( $post ) {
    536538        global $wpdb;
    537539
    538         wp_nonce_field( 'get-comments', 'add_comment_nonce', false );
     540        wp_nonce_field( array( 'action' => 'get-comments',
     541                                                   'name' => 'add_comment_nonce',
     542                                                   'referrer' => false ) );
    539543        ?>
    540544        <p class="hide-if-no-js" id="add-new-comment"><a href="#commentstatusdiv" onclick="commentReply.addcomment(<?php echo $post->ID; ?>);return false;"><?php _e('Add comment'); ?></a></p>
    541545        <?php
    function link_categories_meta_box($link) { 
    753757                        <label class="screen-reader-text" for="newcat"><?php _e( '+ Add New Category' ); ?></label>
    754758                        <input type="text" name="newcat" id="newcat" class="form-required form-input-tip" value="<?php esc_attr_e( 'New category name' ); ?>" aria-required="true" />
    755759                        <input type="button" id="link-category-add-submit" data-wp-lists="add:categorychecklist:link-category-add" class="button" value="<?php esc_attr_e( 'Add' ); ?>" />
    756                         <?php wp_nonce_field( 'add-link-category', '_ajax_nonce', false ); ?>
     760                        <?php wp_nonce_field( array( 'action' => 'add-link-category',
     761                                                                                 'name' => '_ajax_nonce',
     762                                                                                 'referrer' => false ) ); ?>
    757763                        <span id="category-ajax-response"></span>
    758764                </p>
    759765        </div>
  • wp-admin/includes/plugin-install.php

    diff --git wp-admin/includes/plugin-install.php wp-admin/includes/plugin-install.php
    index 63a5f71..ca2a77c 100644
    function install_plugins_upload( $page = 1 ) { 
    145145        <h4><?php _e('Install a plugin in .zip format'); ?></h4>
    146146        <p class="install-help"><?php _e('If you have a plugin in a .zip format, you may install it by uploading it here.'); ?></p>
    147147        <form method="post" enctype="multipart/form-data" class="wp-upload-form" action="<?php echo self_admin_url('update.php?action=upload-plugin'); ?>">
    148                 <?php wp_nonce_field( 'plugin-upload'); ?>
     148                <?php wp_nonce_field( array( 'action' => 'plugin-upload' ) ); ?>
    149149                <label class="screen-reader-text" for="pluginzip"><?php _e('Plugin zip file'); ?></label>
    150150                <input type="file" id="pluginzip" name="pluginzip" />
    151151                <?php submit_button( __( 'Install Now' ), 'button', 'install-plugin-submit', false ); ?>
  • wp-admin/includes/plugin.php

    diff --git wp-admin/includes/plugin.php wp-admin/includes/plugin.php
    index 109e66d..e8c2047 100644
    function remove_option_whitelist( $del_options, $options = '' ) { 
    17591759function settings_fields($option_group) {
    17601760        echo "<input type='hidden' name='option_page' value='" . esc_attr($option_group) . "' />";
    17611761        echo '<input type="hidden" name="action" value="update" />';
    1762         wp_nonce_field("$option_group-options");
     1762        wp_nonce_field( array( 'action' => "$option_group-options" ) );
    17631763}
  • wp-admin/includes/screen.php

    diff --git wp-admin/includes/screen.php wp-admin/includes/screen.php
    index 4a409e8..aea6b9f 100644
    final class WP_Screen { 
    986986                echo $this->_screen_settings;
    987987
    988988                ?>
    989                 <div><?php wp_nonce_field( 'screen-options-nonce', 'screenoptionnonce', false ); ?></div>
     989                <div><?php wp_nonce_field( array( 'action' => 'screen-options-nonce',
     990                                                                                  'name' => 'screenoptionnonce',
     991                                                                                  'referrer' => false ) ); ?></div>
    990992                </form>
    991993                </div>
    992994                <?php
  • wp-admin/includes/template.php

    diff --git wp-admin/includes/template.php wp-admin/includes/template.php
    index 788a4bd..e46a043 100644
    function wp_comment_reply($position = '1', $checkbox = false, $mode = 'single', 
    374374        <input type="hidden" name="checkbox" id="checkbox" value="<?php echo $checkbox ? 1 : 0; ?>" />
    375375        <input type="hidden" name="mode" id="mode" value="<?php echo esc_attr($mode); ?>" />
    376376        <?php
    377                 wp_nonce_field( 'replyto-comment', '_ajax_nonce-replyto-comment', false );
     377                wp_nonce_field( array( 'action' => 'replyto-comment',
     378                                                           'name' => '_ajax_nonce-replyto-comment',
     379                                                           'referrer' => false ) );
    378380                if ( current_user_can( 'unfiltered_html' ) )
    379                         wp_nonce_field( 'unfiltered-html-comment', '_wp_unfiltered_html_comment', false );
     381                        wp_nonce_field( array( 'action' => 'unfiltered-html-comment',
     382                                                                   'name' => '_wp_unfiltered_html_comment',
     383                                                                   'referrer' => false ) );
    380384        ?>
    381385<?php if ( $table_row ) : ?>
    382386</td></tr></tbody></table>
    function _list_meta_row( $entry, &$count ) { 
    496500        $r .= "\n\t\t";
    497501        $r .= get_submit_button( __( 'Update' ), 'updatemeta small', "meta-{$entry['meta_id']}-submit", false, array( 'data-wp-lists' => "add:the-list:meta-{$entry['meta_id']}::_ajax_nonce-add-meta=$update_nonce" ) );
    498502        $r .= "</div>";
    499         $r .= wp_nonce_field( 'change-meta', '_ajax_nonce', false, false );
     503        $r .= wp_nonce_field( array( 'action' => 'change-meta', // Where is this nonce field actually checked? Doesn't look like it's used anywhere.
     504                                                                 'name' => '_ajax_nonce', 'id' => '_ajax_nonce',
     505                                                                 'referrer' => false, 'echo' => false ) );
    500506        $r .= "</td>";
    501507
    502508        $r .= "\n\t\t<td><label class='screen-reader-text' for='meta[{$entry['meta_id']}][value]'>" . __( 'Value' ) . "</label><textarea name='meta[{$entry['meta_id']}][value]' id='meta[{$entry['meta_id']}][value]' rows='2' cols='30'>{$entry['meta_value']}</textarea></td>\n\t</tr>";
    function meta_form() { 
    558564<div class="submit">
    559565<?php submit_button( __( 'Add Custom Field' ), 'secondary', 'addmeta', false, array( 'id' => 'newmeta-submit', 'data-wp-lists' => 'add:the-list:newmeta' ) ); ?>
    560566</div>
    561 <?php wp_nonce_field( 'add-meta', '_ajax_nonce-add-meta', false ); ?>
     567<?php wp_nonce_field( array( 'action' => 'add-meta',
     568                                                         'name' => '_ajax_nonce-add-meta',
     569                                                         'referrer' => false ) ); ?>
    562570</td></tr>
    563571</tbody>
    564572</table>
    function find_posts_div($found_action = '') { 
    12751283                                <?php } ?>
    12761284
    12771285                                <input type="hidden" name="affected" id="affected" value="" />
    1278                                 <?php wp_nonce_field( 'find-posts', '_ajax_nonce', false ); ?>
     1286                                <?php wp_nonce_field( array( 'action' => 'find-posts',
     1287                                                                                         'name' => '_ajax_nonce',
     1288                                                                                         'referrer' => false ) ); ?>
    12791289                                <label class="screen-reader-text" for="find-posts-input"><?php _e( 'Search' ); ?></label>
    12801290                                <input type="text" id="find-posts-input" name="ps" value="" />
    12811291                                <span class="spinner"></span>
  • wp-admin/includes/theme-install.php

    diff --git wp-admin/includes/theme-install.php wp-admin/includes/theme-install.php
    index d0a18a7..a191090 100644
    function install_themes_upload($page = 1) { 
    137137<h4><?php _e('Install a theme in .zip format'); ?></h4>
    138138<p class="install-help"><?php _e('If you have a theme in a .zip format, you may install it by uploading it here.'); ?></p>
    139139<form method="post" enctype="multipart/form-data" class="wp-upload-form" action="<?php echo self_admin_url('update.php?action=upload-theme'); ?>">
    140         <?php wp_nonce_field( 'theme-upload'); ?>
     140        <?php wp_nonce_field( array( 'action' => 'theme-upload' ) ); ?>
    141141        <input type="file" name="themezip" />
    142142        <?php submit_button( __( 'Install Now' ), 'button', 'install-theme-submit', false ); ?>
    143143</form>
  • wp-admin/index.php

    diff --git wp-admin/index.php wp-admin/index.php
    index b476267..3a4e6b0 100644
    $today = current_time('mysql', 1); 
    118118                $classes .= ' hidden'; ?>
    119119
    120120        <div id="welcome-panel" class="<?php echo esc_attr( $classes ); ?>">
    121                 <?php wp_nonce_field( 'welcome-panel-nonce', 'welcomepanelnonce', false ); ?>
     121                <?php wp_nonce_field( array( 'action'   => 'welcome-panel-nonce',
     122                                                                         'name'     => 'welcomepanelnonce',
     123                                                                         'referrer' => false ) ); ?>
    122124                <a class="welcome-panel-close" href="<?php echo esc_url( admin_url( '?welcome=0' ) ); ?>"><?php _e( 'Dismiss' ); ?></a>
    123125                <?php do_action( 'welcome_panel' ); ?>
    124126        </div>
  • wp-admin/js/common.js

    diff --git wp-admin/js/common.js wp-admin/js/common.js
    index 0f6b84d..fc98bf0 100644
    columns = { 
    3030                $.post(ajaxurl, {
    3131                        action: 'hidden-columns',
    3232                        hidden: hidden,
    33                         screenoptionnonce: $('#screenoptionnonce').val(),
     33                        screenoptionnonce: $('input[name="screenoptionnonce"]').val(),
    3434                        page: pagenow
    3535                });
    3636        },
  • wp-admin/js/dashboard.js

    diff --git wp-admin/js/dashboard.js wp-admin/js/dashboard.js
    index 50a17f8..d47c956 100644
    jQuery(document).ready( function($) { 
    88                        $.post( ajaxurl, {
    99                                action: 'update-welcome-panel',
    1010                                visible: visible,
    11                                 welcomepanelnonce: $('#welcomepanelnonce').val()
     11                                welcomepanelnonce: $('input[name="welcomepanelnonce"]').val()
    1212                        });
    1313                };
    1414
  • wp-admin/js/edit-comments.js

    diff --git wp-admin/js/edit-comments.js wp-admin/js/edit-comments.js
    index 038a1e5..531b1e8 100644
    setCommentsList = function() { 
    263263                args = $.extend(args, {
    264264                        'action': 'fetch-list',
    265265                        'list_args': list_args,
    266                         '_ajax_fetch_list_nonce': $('#_ajax_fetch_list_nonce').val()
     266                        '_ajax_fetch_list_nonce': $('input[name="_ajax_fetch_list_nonce"]').val()
    267267                });
    268268
    269269                $.ajax({
  • wp-admin/js/media.js

    diff --git wp-admin/js/media.js wp-admin/js/media.js
    index b4ed0fb..a3aabce 100644
    var findPosts; 
    4848                        var post = {
    4949                                        ps: $('#find-posts-input').val(),
    5050                                        action: 'find_posts',
    51                                         _ajax_nonce: $('#_ajax_nonce').val()
     51                                        _ajax_nonce: $('input[name="_ajax_nonce"]').val()
    5252                                },
    5353                                spinner = $( '.find-box-search .spinner' );
    5454
  • wp-admin/js/nav-menu.js

    diff --git wp-admin/js/nav-menu.js wp-admin/js/nav-menu.js
    index 20f0fc3..c6df0d6 100644
    var wpNavMenu; 
    466466                attachThemeLocationsListeners : function() {
    467467                        var loc = $('#nav-menu-theme-locations'), params = {};
    468468                        params['action'] = 'menu-locations-save';
    469                         params['menu-settings-column-nonce'] = $('#menu-settings-column-nonce').val();
     469                        params['menu-settings-column-nonce'] = $('input[name="menu-settings-column-nonce"]').val();
    470470                        loc.find('input[type="submit"]').click(function() {
    471471                                loc.find('select').each(function() {
    472472                                        params[this.name] = $(this).val();
    var wpNavMenu; 
    510510                                'action': 'menu-quick-search',
    511511                                'response-format': 'markup',
    512512                                'menu': $('#menu').val(),
    513                                 'menu-settings-column-nonce': $('#menu-settings-column-nonce').val(),
     513                                'menu-settings-column-nonce': $('input[name="menu-settings-column-nonce"]').val(),
    514514                                'q': q,
    515515                                'type': input.attr('name')
    516516                        };
    var wpNavMenu; 
    557557
    558558                addItemToMenu : function(menuItem, processMethod, callback) {
    559559                        var menu = $('#menu').val(),
    560                                 nonce = $('#menu-settings-column-nonce').val();
     560                                nonce = $('input[name="menu-settings-column-nonce"]').val();
    561561
    562562                        processMethod = processMethod || function(){};
    563563                        callback = callback || function(){};
  • wp-admin/js/post.js

    diff --git wp-admin/js/post.js wp-admin/js/post.js
    index d08dc4a..b947f6a 100644
    commentsBox = { 
    188188                data = {
    189189                        'action' : 'get-comments',
    190190                        'mode' : 'single',
    191                         '_ajax_nonce' : $('#add_comment_nonce').val(),
     191                        '_ajax_nonce' : $('input[name="add_comment_nonce"]').val(),
    192192                        'p' : $('#post_ID').val(),
    193193                        'start' : st,
    194194                        'number' : num
  • wp-admin/js/postbox.js

    diff --git wp-admin/js/postbox.js wp-admin/js/postbox.js
    index 838db5d..e4a9f37 100644
    var postboxes; 
    121121
    122122                        postVars = {
    123123                                action: 'meta-box-order',
    124                                 _ajax_nonce: $('#meta-box-order-nonce').val(),
     124                                _ajax_nonce: $('input[name="meta-box-order-nonce"]').val(),
    125125                                page_columns: page_columns,
    126126                                page: page
    127127                        }
  • wp-admin/js/theme.js

    diff --git wp-admin/js/theme.js wp-admin/js/theme.js
    index 079c73b..71bdb6d 100644
    jQuery( document ).ready( function($) { 
    123123 * @uses ajaxurl
    124124 * @uses list_args
    125125 * @uses theme_list_args
    126  * @uses $('#_ajax_fetch_list_nonce').val()
     126 * @uses $('input[name="_ajax_fetch_list_nonce"]').val()"
    127127* */
    128128var ThemeScroller;
    129129(function($){
    var ThemeScroller; 
    151151                        }
    152152
    153153                        // Handle inputs
    154                         this.nonce = $('#_ajax_fetch_list_nonce').val();
     154                        this.nonce = $('input[name="_ajax_fetch_list_nonce"]').val();
    155155                        this.nextPage = ( theme_list_args.paged + 1 );
    156156
    157157                        // Cache jQuery selectors
  • wp-admin/js/widgets.js

    diff --git wp-admin/js/widgets.js wp-admin/js/widgets.js
    index 87be4dd..7b03f0e 100644
    wpWidgets = { 
    180180
    181181                var a = {
    182182                        action: 'widgets-order',
    183                         savewidgets: $('#_wpnonce_widgets').val(),
     183                        savewidgets: $('input[name="_wpnonce_widgets"]').val(),
    184184                        sidebars: []
    185185                };
    186186
    wpWidgets = { 
    203203
    204204                a = {
    205205                        action: 'save-widget',
    206                         savewidgets: $('#_wpnonce_widgets').val(),
     206                        savewidgets: $('input[name="_wpnonce_widgets"]').val(),
    207207                        sidebar: sb
    208208                };
    209209
  • wp-admin/media-new.php

    diff --git wp-admin/media-new.php wp-admin/media-new.php
    index c6a7ae1..51cb5f5 100644
    if ( get_user_setting('uploader') || isset( $_GET['browser-uploader'] ) ) 
    7676        var post_id = <?php echo $post_id; ?>, shortform = 3;
    7777        </script>
    7878        <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
    79         <?php wp_nonce_field('media-form'); ?>
     79        <?php wp_nonce_field( array( 'action' => 'media-form' ) ); ?>
    8080        <div id="media-items" class="hide-if-no-js"></div>
    8181        </form>
    8282</div>
  • wp-admin/media.php

    diff --git wp-admin/media.php wp-admin/media.php
    index 15d4323..df46a56 100644
    if ( current_user_can( 'upload_files' ) ) { ?> 
    128128<input type="hidden" name="attachment_id" id="attachment_id" value="<?php echo esc_attr($att_id); ?>" />
    129129<input type="hidden" name="action" value="editattachment" />
    130130<?php wp_original_referer_field(true, 'previous'); ?>
    131 <?php wp_nonce_field('media-form'); ?>
     131<?php wp_nonce_field( array( 'action' => 'media-form' ) ); ?>
    132132
    133133</form>
    134134
  • wp-admin/ms-delete-site.php

    diff --git wp-admin/ms-delete-site.php wp-admin/ms-delete-site.php
    index 7d772c2..823d5d4 100644
    Webmaster 
    7272        <p><?php _e( 'Remember, once deleted your site cannot be restored.' ) ?></p>
    7373
    7474        <form method="post" name="deletedirect">
    75                 <?php wp_nonce_field( 'delete-blog' ) ?>
     75                <?php wp_nonce_field( array( 'action' => 'delete-blog' ) ); ?>
    7676                <input type="hidden" name="action" value="deleteblog" />
    7777                <p><input id="confirmdelete" type="checkbox" name="confirmdelete" value="1" /> <label for="confirmdelete"><strong><?php printf( __( "I'm sure I want to permanently disable my site, and I am aware I can never get it back or use %s again." ), is_subdomain_install() ? $blog->domain : $blog->domain . $blog->path ); ?></strong></label></p>
    7878                <?php submit_button( __( 'Delete My Site Permanently' ) ); ?>
  • wp-admin/my-sites.php

    diff --git wp-admin/my-sites.php wp-admin/my-sites.php
    index 2ef4ca7..6738c00 100644
    else : 
    111111        }?>
    112112        </table>
    113113        <input type="hidden" name="action" value="updateblogsettings" />
    114         <?php wp_nonce_field( 'update-my-sites' ); ?>
     114        <?php wp_nonce_field( array( 'action' => 'update-my-sites' ) ); ?>
    115115        <?php submit_button(); ?>
    116116        </form>
    117117<?php endif; ?>
  • wp-admin/nav-menus.php

    diff --git wp-admin/nav-menus.php wp-admin/nav-menus.php
    index 361d0f6..99a978a 100644
    require_once( './admin-header.php' ); 
    472472                <form id="nav-menu-meta" action="<?php echo admin_url( 'nav-menus.php' ); ?>" class="nav-menu-meta" method="post" enctype="multipart/form-data">
    473473                        <input type="hidden" name="menu" id="nav-menu-meta-object-id" value="<?php echo esc_attr( $nav_menu_selected_id ); ?>" />
    474474                        <input type="hidden" name="action" value="add-menu-item" />
    475                         <?php wp_nonce_field( 'add-menu_item', 'menu-settings-column-nonce' ); ?>
     475                        <?php wp_nonce_field( array( 'action' => 'add-menu_item',
     476                                                                                 'name' => 'menu-settings-column-nonce' ) ); ?>
    476477                        <?php do_meta_boxes( 'nav-menus', 'side', null ); ?>
    477478                </form>
    478479
    require_once( './admin-header.php' ); 
    564565                                                        </div><!-- END .major-publishing-actions -->
    565566                                                </div><!-- END #submitpost .submitbox -->
    566567                                                <?php
    567                                                 wp_nonce_field( 'closedpostboxes', 'closedpostboxesnonce', false );
    568                                                 wp_nonce_field( 'meta-box-order', 'meta-box-order-nonce', false );
    569                                                 wp_nonce_field( 'update-nav_menu', 'update-nav-menu-nonce' );
     568                                                wp_nonce_field( array( 'action' => 'closedpostboxes',
     569                                                                                           'name' => 'closedpostboxesnonce',
     570                                                                                           'id' => 'closedpostboxesnonce',
     571                                                                                           'referrer' => false ) );
     572                                                wp_nonce_field( array( 'action'   => 'meta-box-order',
     573                                                                                           'name'     => 'meta-box-order-nonce',
     574                                                                                           'referrer' => false ) );
     575                                                wp_nonce_field( array( 'action' => 'update-nav_menu',
     576                                                                                           'name' => 'update-nav-menu-nonce' ) );
    570577                                                ?>
    571578                                                <input type="hidden" name="action" value="update" />
    572579                                                <input type="hidden" name="menu" id="menu" value="<?php echo esc_attr( $nav_menu_selected_id ); ?>" />
  • wp-admin/network.php

    diff --git wp-admin/network.php wp-admin/network.php
    index f0651bc..a5113d9 100644
    function network_step1( $errors = false ) { 
    172172
    173173        echo '<form method="post" action="">';
    174174
    175         wp_nonce_field( 'install-network-1' );
     175        wp_nonce_field( array( 'action' => 'install-network-1' ) );
    176176
    177177        $error_codes = array();
    178178        if ( is_wp_error( $errors ) ) {
  • wp-admin/network/settings.php

    diff --git wp-admin/network/settings.php wp-admin/network/settings.php
    index b3a0f89..ff1310b 100644
    if ( isset( $_GET['updated'] ) ) { 
    8383        <?php screen_icon('options-general'); ?>
    8484        <h2><?php echo esc_html( $title ); ?></h2>
    8585        <form method="post" action="settings.php">
    86                 <?php wp_nonce_field( 'siteoptions' ); ?>
     86                <?php wp_nonce_field( array( 'action' => 'siteoptions' ) ); ?>
    8787                <h3><?php _e( 'Operational Settings' ); ?></h3>
    8888                <table class="form-table">
    8989                        <tr valign="top">
  • wp-admin/network/site-info.php

    diff --git wp-admin/network/site-info.php wp-admin/network/site-info.php
    index bcc71f9..b0d2a58 100644
    if ( ! empty( $messages ) ) { 
    118118                echo '<div id="message" class="updated"><p>' . $msg . '</p></div>';
    119119} ?>
    120120<form method="post" action="site-info.php?action=update-site">
    121         <?php wp_nonce_field( 'edit-site' ); ?>
     121        <?php wp_nonce_field( array( 'action' => 'edit-site' ) ); ?>
    122122        <input type="hidden" name="id" value="<?php echo esc_attr( $id ) ?>" />
    123123        <table class="form-table">
    124124                <tr class="form-field form-required">
  • wp-admin/network/site-new.php

    diff --git wp-admin/network/site-new.php wp-admin/network/site-new.php
    index db2e1f7..d71667d 100644
    if ( ! empty( $messages ) ) { 
    120120                echo '<div id="message" class="updated"><p>' . $msg . '</p></div>';
    121121} ?>
    122122<form method="post" action="<?php echo network_admin_url('site-new.php?action=add-site'); ?>">
    123 <?php wp_nonce_field( 'add-blog', '_wpnonce_add-blog' ) ?>
     123<?php wp_nonce_field( array( 'action' => 'add-blog',
     124                                                         'name'   => '_wpnonce_add-blog' ) ); ?>
    124125        <table class="form-table">
    125126                <tr class="form-field form-required">
    126127                        <th scope="row"><?php _e( 'Site Address' ) ?></th>
  • wp-admin/network/site-settings.php

    diff --git wp-admin/network/site-settings.php wp-admin/network/site-settings.php
    index f807fcf..1146dab 100644
    if ( ! empty( $messages ) ) { 
    108108                echo '<div id="message" class="updated"><p>' . $msg . '</p></div>';
    109109} ?>
    110110<form method="post" action="site-settings.php?action=update-site">
    111         <?php wp_nonce_field( 'edit-site' ); ?>
     111        <?php wp_nonce_field( array( 'action' => 'edit-site' ) ); ?>
    112112        <input type="hidden" name="id" value="<?php echo esc_attr( $id ) ?>" />
    113113        <table class="form-table">
    114114                <?php
  • wp-admin/network/site-users.php

    diff --git wp-admin/network/site-users.php wp-admin/network/site-users.php
    index 2064a76..92be831 100644
    endif; ?> 
    269269                        </select></td>
    270270                </tr>
    271271        </table>
    272         <?php wp_nonce_field( 'add-user', '_wpnonce_add-user' ) ?>
     272        <?php wp_nonce_field( array( 'action' => 'add-user',
     273                                                                 'name'   => '_wpnonce_add-user' ) ); ?>
    273274        <?php submit_button( __( 'Add User' ), 'primary', 'add-user', true, array( 'id' => 'submit-add-existing-user' ) ); ?>
    274275</form>
    275276<?php endif; ?>
    endif; ?> 
    303304                        <td colspan="2"><?php _e( 'Username and password will be mailed to the above email address.' ) ?></td>
    304305                </tr>
    305306        </table>
    306         <?php wp_nonce_field( 'add-user', '_wpnonce_add-new-user' ) ?>
     307        <?php wp_nonce_field( array( 'action' => 'add-user',
     308                                                                 'name'   => '_wpnonce_add-new-user' ) ); ?>
    307309        <?php submit_button( __( 'Add New User' ), 'primary', 'add-user', true, array( 'id' => 'submit-add-user' ) ); ?>
    308310</form>
    309311<?php endif; ?>
  • wp-admin/network/sites.php

    diff --git wp-admin/network/sites.php wp-admin/network/sites.php
    index e9b314d..c572356 100644
    if ( isset( $_GET['action'] ) ) { 
    7878                                        <input type="hidden" name="action" value="<?php echo esc_attr( $_GET['action2'] ) ?>" />
    7979                                        <input type="hidden" name="id" value="<?php echo esc_attr( $id ); ?>" />
    8080                                        <input type="hidden" name="_wp_http_referer" value="<?php echo esc_attr( wp_get_referer() ); ?>" />
    81                                         <?php wp_nonce_field( $_GET['action2'], '_wpnonce', false ); ?>
     81                                        <?php wp_nonce_field( array( 'action' => $_GET['action2'], 'referrer' => false ) ); ?>
    8282                                        <p><?php echo esc_html( stripslashes( $_GET['msg'] ) ); ?></p>
    8383                                        <?php submit_button( __('Confirm'), 'button' ); ?>
    8484                                </form>
  • wp-admin/network/themes.php

    diff --git wp-admin/network/themes.php wp-admin/network/themes.php
    index 04840ee..e4a1a9b 100644
    if ( $action ) { 
    154154                                                foreach ( (array) $themes as $theme )
    155155                                                        echo '<input type="hidden" name="checked[]" value="' . esc_attr($theme) . '" />';
    156156                                        ?>
    157                                         <?php wp_nonce_field('bulk-themes') ?>
     157                                        <?php wp_nonce_field( array( 'action' => 'bulk-themes' ) ); ?>
    158158                                        <?php submit_button( _n( 'Yes, Delete this theme', 'Yes, Delete these themes', $themes_to_delete ), 'button', 'submit', false ); ?>
    159159                                </form>
    160160                                <form method="post" action="<?php echo esc_url(wp_get_referer()); ?>" style="display:inline;">
  • wp-admin/network/user-new.php

    diff --git wp-admin/network/user-new.php wp-admin/network/user-new.php
    index 2044914..050d758 100644
    if ( isset( $add_user_errors ) && is_wp_error( $add_user_errors ) ) { ?> 
    9999                        <td colspan="2"><?php _e( 'Username and password will be mailed to the above email address.' ) ?></td>
    100100                </tr>
    101101        </table>
    102         <?php wp_nonce_field( 'add-user', '_wpnonce_add-user' ) ?>
     102        <?php wp_nonce_field( array( 'action' => 'add-user',
     103                                                                 'name'   => '_wpnonce_add-user' ) ); ?>
    103104        <?php submit_button( __('Add User'), 'primary', 'add-user' ); ?>
    104105        </form>
    105106</div>
  • wp-admin/network/users.php

    diff --git wp-admin/network/users.php wp-admin/network/users.php
    index 1318355..fe5aaca 100644
    function confirm_delete_users( $users ) { 
    2828        <form action="users.php?action=dodelete" method="post">
    2929        <input type="hidden" name="dodelete" />
    3030        <?php
    31         wp_nonce_field( 'ms-users-delete' );
     31        wp_nonce_field( array( 'action' => 'ms-users-delete' ) );
    3232        $site_admins = get_super_admins();
    3333        $admin_out = "<option value='$current_user->ID'>$current_user->user_login</option>";
    3434
  • wp-admin/options-permalink.php

    diff --git wp-admin/options-permalink.php wp-admin/options-permalink.php
    index 906361e..704f954 100644
    if ( ! is_multisite() ) { 
    169169<h2><?php echo esc_html( $title ); ?></h2>
    170170
    171171<form name="form" action="options-permalink.php" method="post">
    172 <?php wp_nonce_field('update-permalink') ?>
     172<?php wp_nonce_field( array( 'action' => 'update-permalink' ) ); ?>
    173173
    174174  <p><?php _e('By default WordPress uses web <abbr title="Universal Resource Locator">URL</abbr>s which have question marks and lots of numbers in them, however WordPress offers you the ability to create a custom URL structure for your permalinks and archives. This can improve the aesthetics, usability, and forward-compatibility of your links. A <a href="http://codex.wordpress.org/Using_Permalinks">number of tags are available</a>, and here are some examples to get you started.'); ?></p>
    175175
    printf( __('If you like, you may enter custom structures for your category and t 
    255255                if ( file_exists($home_path . 'web.config') ) : ?>
    256256<p><?php _e('If your <code>web.config</code> file were <a href="http://codex.wordpress.org/Changing_File_Permissions">writable</a>, we could do this automatically, but it isn&#8217;t so this is the url rewrite rule you should have in your <code>web.config</code> file. Click in the field and press <kbd>CTRL + a</kbd> to select all. Then insert this rule inside of the <code>/&lt;configuration&gt;/&lt;system.webServer&gt;/&lt;rewrite&gt;/&lt;rules&gt;</code> element in <code>web.config</code> file.') ?></p>
    257257<form action="options-permalink.php" method="post">
    258 <?php wp_nonce_field('update-permalink') ?>
     258        <?php wp_nonce_field( array( 'action' => 'update-permalink' ) ); ?>
    259259        <p><textarea rows="9" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->iis7_url_rewrite_rules() ); ?></textarea></p>
    260260</form>
    261261<p><?php _e('If you temporarily make your <code>web.config</code> file writable for us to generate rewrite rules automatically, do not forget to revert the permissions after rule has been saved.') ?></p>
    262262                <?php else : ?>
    263263<p><?php _e('If the root directory of your site were <a href="http://codex.wordpress.org/Changing_File_Permissions">writable</a>, we could do this automatically, but it isn&#8217;t so this is the url rewrite rule you should have in your <code>web.config</code> file. Create a new file, called <code>web.config</code> in the root directory of your site. Click in the field and press <kbd>CTRL + a</kbd> to select all. Then insert this code into the <code>web.config</code> file.') ?></p>
    264264<form action="options-permalink.php" method="post">
    265 <?php wp_nonce_field('update-permalink') ?>
     265        <?php wp_nonce_field( array( 'action' => 'update-permalink' ) ); ?>
    266266        <p><textarea rows="18" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->iis7_url_rewrite_rules(true) ); ?></textarea></p>
    267267</form>
    268268<p><?php _e('If you temporarily make your site&#8217;s root directory writable for us to generate the <code>web.config</code> file automatically, do not forget to revert the permissions after the file has been created.') ?></p>
    printf( __('If you like, you may enter custom structures for your category and t 
    272272        if ( $permalink_structure && ! $usingpi && ! $writable ) : ?>
    273273<p><?php _e('If your <code>.htaccess</code> file were <a href="http://codex.wordpress.org/Changing_File_Permissions">writable</a>, we could do this automatically, but it isn&#8217;t so these are the mod_rewrite rules you should have in your <code>.htaccess</code> file. Click in the field and press <kbd>CTRL + a</kbd> to select all.') ?></p>
    274274<form action="options-permalink.php" method="post">
    275 <?php wp_nonce_field('update-permalink') ?>
     275        <?php wp_nonce_field( array( 'action' => 'update-permalink' ) ); ?>
    276276        <p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->mod_rewrite_rules() ); ?></textarea></p>
    277277</form>
    278278        <?php endif; ?>
  • wp-admin/options.php

    diff --git wp-admin/options.php wp-admin/options.php
    index 92ae917..fb0a3e6 100644
    include('./admin-header.php'); ?> 
    178178<?php screen_icon(); ?>
    179179  <h2><?php esc_html_e('All Settings'); ?></h2>
    180180  <form name="form" action="options.php" method="post" id="all-options">
    181   <?php wp_nonce_field('options-options') ?>
     181  <?php wp_nonce_field( array( 'action' => 'options-options' ) ); ?>
    182182  <input type="hidden" name="action" value="update" />
    183183  <input type='hidden' name='option_page' value='options' />
    184184  <table class="form-table">
  • wp-admin/plugin-editor.php

    diff --git wp-admin/plugin-editor.php wp-admin/plugin-editor.php
    index 3ab0225..65ae4b0 100644
    foreach ( $plugin_files as $plugin_file ) : 
    226226        </ul>
    227227</div>
    228228<form name="template" id="template" action="plugin-editor.php" method="post">
    229         <?php wp_nonce_field('edit-plugin_' . $file) ?>
     229        <?php wp_nonce_field( array( 'action' => 'edit-plugin_' . $file ) ); ?>
    230230                <div><textarea cols="70" rows="25" name="newcontent" id="newcontent" aria-describedby="newcontent-description"><?php echo $content; ?></textarea>
    231231                <input type="hidden" name="action" value="update" />
    232232                <input type="hidden" name="file" value="<?php echo esc_attr($file) ?>" />
  • wp-admin/plugins.php

    diff --git wp-admin/plugins.php wp-admin/plugins.php
    index 7fc3036..a46fd92 100644
    if ( $action ) { 
    294294                                                foreach ( (array) $plugins as $plugin )
    295295                                                        echo '<input type="hidden" name="checked[]" value="' . esc_attr($plugin) . '" />';
    296296                                        ?>
    297                                         <?php wp_nonce_field('bulk-plugins') ?>
     297                                        <?php wp_nonce_field( array( 'action' => 'bulk-plugins' ) ); ?>
    298298                                        <?php submit_button( $data_to_delete ? __( 'Yes, Delete these files and data' ) : __( 'Yes, Delete these files' ), 'button', 'submit', false ); ?>
    299299                                </form>
    300300                                <form method="post" action="<?php echo esc_url(wp_get_referer()); ?>" style="display:inline;">
  • wp-admin/press-this.php

    diff --git wp-admin/press-this.php wp-admin/press-this.php
    index 6542fa3..cbda889 100644
    $admin_body_class .= ' locale-' . sanitize_html_class( strtolower( str_replace( 
    444444<div id="poststuff" class="metabox-holder">
    445445        <div id="side-sortables" class="press-this-sidebar">
    446446                <div class="sleeve">
    447                         <?php wp_nonce_field('press-this') ?>
     447                        <?php wp_nonce_field( array( 'action' => 'press-this' ) ); ?>
    448448                        <input type="hidden" name="post_type" id="post_type" value="text"/>
    449449                        <input type="hidden" name="autosave" id="autosave" />
    450450                        <input type="hidden" id="original_post_status" name="original_post_status" value="draft" />
    $admin_body_class .= ' locale-' . sanitize_html_class( strtolower( str_replace( 
    529529                                                                </label>
    530530                                                                <?php wp_dropdown_categories( array( 'taxonomy' => 'category', 'hide_empty' => 0, 'name' => 'newcategory_parent', 'orderby' => 'name', 'hierarchical' => 1, 'show_option_none' => '&mdash; ' . $tax->labels->parent_item . ' &mdash;' ) ); ?>
    531531                                                                <input type="button" id="category-add-submit" data-wp-lists="add:categorychecklist:category-add" class="button category-add-submit" value="<?php echo esc_attr( $tax->labels->add_new_item ); ?>" />
    532                                                                 <?php wp_nonce_field( 'add-category', '_ajax_nonce-add-category', false ); ?>
     532                                                                <?php wp_nonce_field( array( 'action' => 'add-category',
     533                                                                                                                         'name' => '_ajax_nonce-add-category',
     534                                                                                                                         'referrer' => false ) ); ?>
    533535                                                                <span id="category-ajax-response"></span>
    534536                                                        </p>
    535537                                                </div>
  • wp-admin/theme-editor.php

    diff --git wp-admin/theme-editor.php wp-admin/theme-editor.php
    index c9adabe..6f5fa5a 100644
    if ( $allowed_files ) : 
    198198        echo '<div class="error"><p>' . __('Oops, no such file exists! Double check the name and try again, merci.') . '</p></div>';
    199199else : ?>
    200200        <form name="template" id="template" action="theme-editor.php" method="post">
    201         <?php wp_nonce_field( 'edit-theme_' . $file . $stylesheet ); ?>
     201        <?php wp_nonce_field( array( 'action' => 'edit-theme_' . $file . $stylesheet ) ); ?>
    202202                <div><textarea cols="70" rows="30" name="newcontent" id="newcontent" aria-describedby="newcontent-description"><?php echo $content; ?></textarea>
    203203                <input type="hidden" name="action" value="update" />
    204204                <input type="hidden" name="file" value="<?php echo esc_attr( $relative_file ); ?>" />
  • wp-admin/update-core.php

    diff --git wp-admin/update-core.php wp-admin/update-core.php
    index a45b9be..4842db8 100644
    function list_core_update( $update ) { 
    6868        echo $message;
    6969        echo '</p>';
    7070        echo '<form method="post" action="' . $form_action . '" name="upgrade" class="upgrade">';
    71         wp_nonce_field('upgrade-core');
     71        wp_nonce_field( array( 'action' => 'upgrade-core' ) );
    7272        echo '<p>';
    7373        echo '<input name="version" value="'. esc_attr($update->current) .'" type="hidden"/>';
    7474        echo '<input name="locale" value="'. esc_attr($update->locale) .'" type="hidden"/>';
    function list_plugin_updates() { 
    189189<h3><?php _e( 'Plugins' ); ?></h3>
    190190<p><?php _e( 'The following plugins have new versions available. Check the ones you want to update and then click &#8220;Update Plugins&#8221;.' ); ?></p>
    191191<form method="post" action="<?php echo $form_action; ?>" name="upgrade-plugins" class="upgrade">
    192 <?php wp_nonce_field('upgrade-core'); ?>
     192<?php wp_nonce_field( array( 'action' => 'upgrade-core' ) ); ?>
    193193<p><input id="upgrade-plugins" class="button" type="submit" value="<?php esc_attr_e('Update Plugins'); ?>" name="upgrade" /></p>
    194194<table class="widefat" cellspacing="0" id="update-plugins-table">
    195195        <thead>
    function list_theme_updates() { 
    267267<p><?php _e( 'The following themes have new versions available. Check the ones you want to update and then click &#8220;Update Themes&#8221;.' ); ?></p>
    268268<p><?php printf( __('<strong>Please Note:</strong> Any customizations you have made to theme files will be lost. Please consider using <a href="%s">child themes</a> for modifications.'), _x('http://codex.wordpress.org/Child_Themes', 'Link used in suggestion to use child themes in GUU') ); ?></p>
    269269<form method="post" action="<?php echo $form_action; ?>" name="upgrade-themes" class="upgrade">
    270 <?php wp_nonce_field('upgrade-core'); ?>
     270<?php wp_nonce_field( array( 'action' => 'upgrade-core' ) ); ?>
    271271<p><input id="upgrade-themes" class="button" type="submit" value="<?php esc_attr_e('Update Themes'); ?>" name="upgrade" /></p>
    272272<table class="widefat" cellspacing="0" id="update-themes-table">
    273273        <thead>
  • wp-admin/user-edit.php

    diff --git wp-admin/user-edit.php wp-admin/user-edit.php
    index eadc1f0..e70de0a 100644
    if ( ! IS_PROFILE_PAGE ) { 
    190190</h2>
    191191
    192192<form id="your-profile" action="<?php echo esc_url( self_admin_url( IS_PROFILE_PAGE ? 'profile.php' : 'user-edit.php' ) ); ?>" method="post"<?php do_action('user_edit_form_tag'); ?>>
    193 <?php wp_nonce_field('update-user_' . $user_id) ?>
     193<?php wp_nonce_field( array( 'action' => 'update-user_' . $user_id ) ); ?>
    194194<?php if ( $wp_http_referer ) : ?>
    195195        <input type="hidden" name="wp_http_referer" value="<?php echo esc_url($wp_http_referer); ?>" />
    196196<?php endif; ?>
  • wp-admin/user-new.php

    diff --git wp-admin/user-new.php wp-admin/user-new.php
    index f9616a2..e35b2b8 100644
    if ( is_multisite() ) { 
    269269?>
    270270<form action="" method="post" name="adduser" id="adduser" class="validate"<?php do_action('user_new_form_tag');?>>
    271271<input name="action" type="hidden" value="adduser" />
    272 <?php wp_nonce_field( 'add-user', '_wpnonce_add-user' ) ?>
     272<?php wp_nonce_field( array( 'action' => 'add-user',
     273                                                         'name'   => '_wpnonce_add-user' ) ); ?>
    273274
    274275<table class="form-table">
    275276        <tr class="form-field form-required">
    if ( current_user_can( 'create_users') ) { 
    302303<p><?php _e('Create a brand new user and add it to this site.'); ?></p>
    303304<form action="" method="post" name="createuser" id="createuser" class="validate"<?php do_action('user_new_form_tag');?>>
    304305<input name="action" type="hidden" value="createuser" />
    305 <?php wp_nonce_field( 'create-user', '_wpnonce_create-user' ) ?>
     306<?php wp_nonce_field( array( 'action' => 'create-user',
     307                                                         'name' => '_wpnonce_create-user' ) ); ?>
    306308<?php
    307309// Load up the passed data, else set to a default.
    308310foreach ( array( 'user_login' => 'login', 'first_name' => 'firstname', 'last_name' => 'lastname',
  • wp-admin/users.php

    diff --git wp-admin/users.php wp-admin/users.php
    index 6ea1765..1345786 100644
    case 'delete': 
    211211        include ('admin-header.php');
    212212?>
    213213<form action="" method="post" name="updateusers" id="updateusers">
    214 <?php wp_nonce_field('delete-users') ?>
     214<?php wp_nonce_field( array( 'action' => 'delete-users' ) ); ?>
    215215<?php echo $referer; ?>
    216216
    217217<div class="wrap">
    case 'remove': 
    316316        include ('admin-header.php');
    317317?>
    318318<form action="" method="post" name="updateusers" id="updateusers">
    319 <?php wp_nonce_field('remove-users') ?>
     319<?php wp_nonce_field( array( 'action' => 'remove-users' ) ); ?>
    320320<?php echo $referer; ?>
    321321
    322322<div class="wrap">
  • wp-admin/widgets.php

    diff --git wp-admin/widgets.php wp-admin/widgets.php
    index 3e0b146..ecc1d37 100644
    if ( isset($_GET['editwidget']) && $_GET['editwidget'] ) { 
    281281        <input type="hidden" name="widget-id" class="widget-id" value="<?php echo esc_attr($widget_id); ?>" />
    282282        <input type="hidden" name="id_base" class="id_base" value="<?php echo esc_attr($id_base); ?>" />
    283283        <input type="hidden" name="multi_number" class="multi_number" value="<?php echo esc_attr($multi_number); ?>" />
    284 <?php   wp_nonce_field("save-delete-widget-$widget_id"); ?>
     284        <?php wp_nonce_field( array( 'action' => "save-delete-widget-$widget_id" ) ); ?>
    285285        <br class="clear" />
    286286        </div>
    287287        </form>
    foreach ( $wp_registered_sidebars as $sidebar => $registered_sidebar ) { 
    389389</div>
    390390</div>
    391391<form action="" method="post">
    392 <?php wp_nonce_field( 'save-sidebar-widgets', '_wpnonce_widgets', false ); ?>
     392<?php wp_nonce_field( array( 'action' => 'save-sidebar-widgets',
     393                                                         'name' => '_wpnonce_widgets',
     394                                                         'referrer' => false ) ); ?>
    393395</form>
    394396<br class="clear" />
    395397</div>
  • wp-includes/class-wp-editor.php

    diff --git wp-includes/class-wp-editor.php wp-includes/class-wp-editor.php
    index 38ab7c2..3dc0fec 100644
    final class _WP_Editors { 
    809809        ?>
    810810        <div style="display:none;">
    811811        <form id="wp-link" tabindex="-1">
    812         <?php wp_nonce_field( 'internal-linking', '_ajax_linking_nonce', false ); ?>
     812        <?php wp_nonce_field( array( 'action' => 'internal-linking',
     813                                                                 'name' => '_ajax_linking_nonce',
     814                                                                 'id' => '_ajax_linking_nonce',
     815                                                                 'referrer' => false ) ); ?>
    813816        <div id="link-selector">
    814817                <div id="link-options">
    815818                        <p class="howto"><?php _e( 'Enter the destination URL' ); ?></p>
  • wp-includes/comment-template.php

    diff --git wp-includes/comment-template.php wp-includes/comment-template.php
    index 8be25e1..100e9ca 100644
    function wp_comment_form_unfiltered_html_nonce() { 
    814814        $post_id = $post ? $post->ID : 0;
    815815
    816816        if ( current_user_can( 'unfiltered_html' ) ) {
    817                 wp_nonce_field( 'unfiltered-html-comment_' . $post_id, '_wp_unfiltered_html_comment_disabled', false );
     817                wp_nonce_field( array( 'action' => 'unfiltered-html-comment_' . $post_id,
     818                                                           'name' => '_wp_unfiltered_html_comment_disabled',
     819                                                           'id' => '_wp_unfiltered_html_comment_disabled',
     820                                                           'referrer' => false ) );
    818821                echo "<script>(function(){if(window===window.parent){document.getElementById('_wp_unfiltered_html_comment_disabled').name='_wp_unfiltered_html_comment';}})();</script>\n";
    819822        }
    820823}
  • wp-includes/functions.php

    diff --git wp-includes/functions.php wp-includes/functions.php
    index 17bd70a..2784e7d 100644
    function wp_nonce_url( $actionurl, $action = -1 ) { 
    11701170 * offer absolute protection, but should protect against most cases. It is very
    11711171 * important to use nonce field in forms.
    11721172 *
    1173  * The $action and $name are optional, but if you want to have better security,
    1174  * it is strongly suggested to set those two parameters. It is easier to just
     1173 * The following optional settings can be used with this method:
     1174 *
     1175 * action - A unique name included in the nonce hash (for better security).
     1176 * name - The input field name, defaults to "_wpnonce".
     1177 * id - Used as the input element id if desired.
     1178 * referrer - Referrer field is used for validation, defaults to true.
     1179 * echo - Output is displayed, defaults to true. Returns the output if false.
     1180 *
     1181 * While action is optional, it is strongly recommended to set this option to a
     1182 * unique value for every form for better security. It is easier to just
    11751183 * call the function without any parameters, because validation of the nonce
    1176  * doesn't require any parameters, but since crackers know what the default is
     1184 * doesn't require any parameters, but since crackers know what the default is,
    11771185 * it won't be difficult for them to find a way around your nonce and cause
    11781186 * damage.
    11791187 *
    1180  * The input name will be whatever $name value you gave. The input value will be
    1181  * the nonce creation value.
    1182  *
    11831188 * @package WordPress
    11841189 * @subpackage Security
    11851190 * @since 2.0.4
    11861191 *
    1187  * @param string $action Optional. Action name.
    1188  * @param string $name Optional. Nonce name.
    1189  * @param bool $referer Optional, default true. Whether to set the referer field for validation.
    1190  * @param bool $echo Optional, default true. Whether to display or return hidden form field.
    1191  * @return string Nonce field.
     1192 * @param array $options Optional settings for the nonce field, see description.
     1193 *
     1194 * @return string HTML nonce field to be used in a form.
    11921195 */
    1193 function wp_nonce_field( $action = -1, $name = "_wpnonce", $referer = true , $echo = true ) {
    1194         $name = esc_attr( $name );
    1195         $nonce_field = '<input type="hidden" id="' . $name . '" name="' . $name . '" value="' . wp_create_nonce( $action ) . '" />';
     1196function wp_nonce_field( $options = array() ) {
     1197        $defaults = array(
     1198                'action'   => -1,
     1199                'name'     => '_wpnonce',
     1200                'id'       => '',
     1201                'referrer' => true,
     1202                'echo'     => true
     1203        );
    11961204
    1197         if ( $referer )
     1205        // WordPress 3.5 compatibility layer:
     1206        // Arguments: $action = -1, $name = "_wpnonce", $referer = true, $echo = true
     1207        // The $name parameter was also used for id.
     1208        if ( ! is_array( $options ) || 0 == func_num_args() ) {
     1209                _deprecated_argument( __FUNCTION__, '3.6', 'Please see the documentation on how to pass the necessary options to this function.' );
     1210                $old_args = func_get_args();
     1211                $options = array( 'name' => '_wpnonce' );
     1212                if ( isset( $old_args[0] ) ) $options['action']   = $old_args[0];
     1213                if ( isset( $old_args[1] ) ) $options['name']     = $old_args[1];
     1214                if ( isset( $old_args[2] ) ) $options['referrer'] = $old_args[2];
     1215                if ( isset( $old_args[3] ) ) $options['echo']     = $old_args[3];
     1216                $options['id'] = $options['name'];
     1217        }
     1218
     1219        $options = wp_parse_args( $options, $defaults );
     1220
     1221        $nonce_field = '<input type="hidden"';
     1222        if ( ! empty( $options['id'] ) ) {
     1223                $nonce_field .= ' id="' . esc_attr( $options['id'] ) . '"';
     1224        }
     1225        $nonce_field .= ' name="' . esc_attr( $options['name'] ) . '"';
     1226        $nonce_field .= ' value="' . esc_attr( wp_create_nonce( $options['action'] ) ) . '" />';
     1227
     1228        if ( $options['referrer'] )
    11981229                $nonce_field .= wp_referer_field( false );
    11991230
    1200         if ( $echo )
     1231        if ( $options['echo'] )
    12011232                echo $nonce_field;
    12021233
    12031234        return $nonce_field;
  • wp-includes/ms-functions.php

    diff --git wp-includes/ms-functions.php wp-includes/ms-functions.php
    index 0f6794b..2df5e28 100644
    function upload_is_file_too_big( $upload ) { 
    16211621function signup_nonce_fields() {
    16221622        $id = mt_rand();
    16231623        echo "<input type='hidden' name='signup_form_id' value='{$id}' />";
    1624         wp_nonce_field('signup_form_' . $id, '_signup_form', false);
     1624        wp_nonce_field( array( 'action' => 'signup_form_' . $id,
     1625                                                   'name'=> '_signup_form',
     1626                                                   'referrer' => false ) );
    16251627}
    16261628
    16271629/**