#2800 closed enhancement (fixed)
wp_nonce_field() could pass along HTTP_REFERER info
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 2.1 |
| Component: | Administration | Keywords: | has-patch 2nd-opinion |
| Focuses: | Cc: |
Description
Sometimes we make use of the HTTP_REFERER in WordPress in order to redirect people after an action is performed.
Since all forms that do something use wp_nonce_field() anyway, we could just have wp_nonce_field echo out another hidden form input:
echo '<input type="hidden" name="wp_http_referer" value="'. wp_specialchars(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
Might be nice being able to count on that! I'd make it its own function, that wp_nonce_field would call.
Attachments (3)
Change History (15)
#4
@
17 years ago
Something like this.
If your post will embark on a multiple-request journey before needing to return, you just manually invoke wp_original_referer_field() in the form. Forms in the interim only need to call the nonce call, and it'll pass on the original referer value. When you're ready for it, just call wp_get_original_referer() and you can zoom back to your starting location. An example case for that would be the new user editing stuff, whereby you return to the exact user search/browse page that you were on after you've performed multiple edits on a user's profile.
#5
@
17 years ago
- Keywords has-patch 2nd-opinion added
- Owner changed from anonymous to markjaquith
- Status changed from new to assigned
#8
@
17 years ago
- Milestone changed from 2.1 to 2.0.4
I included a fix for #2853 when I committed this. Let's start spreading this to all places that use HTTP_REFERER. Now that referrers are not required to access the admin, people are tripping over redirect problems due to HTTP_REFERER being empty.
I like this.
We need to make
check_admin_refererunset the value in the _POST array if the nonce check fails as we cannot trust the information then.