Introduce some more _doing_it_wrong() calls in nonce functions

[johnbillion]

check_admin_referer() will tell you that you're _doing_it_wrong() if you don't specify the $action parameter. The corresponding wp_nonce_field() and wp_nonce_url() functions should behave the same way.

check_ajax_referer() should also behave the same as check_admin_referer() but I'm not sure if potentially raising notices in AJAX calls is a good idea. I've included it in the patch anyway.

[johnbillion]

Patch

[bpetty]

Refreshed patch, still makes sense to me.

Related: #23165

[SergeyBiryukov]

Replying to johnbillion:

check_ajax_referer() should also behave the same as check_admin_referer() but I'm not sure if potentially raising notices in AJAX calls is a good idea.

FWIW, I don't think it's a good idea.

Also, wp_nonce_url() is used directly in href attributes, so the notice would result in a badly broken link:

<a href="<br />
<b>Notice</b>:  wp_nonce_url was called <strong>incorrectly</strong>. You should specify a nonce action as the second parameter. Please see <a href="http://codex.wordpress.org/Debugging_in_WordPress">Debugging in WordPress</a> for more information. (This message was added in version 3.9.) in <b>wp-includes/functions.php</b> on line <b>3069</b><br />
index.php?_wpnonce=dedea08d5f">Link text</a>

Which is displayed like this:

Debugging in WordPress for more information. (This message was added in version 3.9.) in wp-includes/functions.php on line 3069
index.php?_wpnonce=dedea08d5f">Link text

[johnbillion]

I'll have to agree with Sergey here, displaying a notice inside an attribute would break the layout. We can't even just do it in wp_nonce_field() because its value can be returned instead of echoed and a notice may show up in an unwanted place.

This is a wontfix unless anyone has any better ideas.

[nacin]

The security team had at one point discussed making $action a non-optional parameter, like what we did with wpdb::prepare(). But it probably wouldn't go over well.