#40133 closed defect (bug) (worksforme)
Adding nonce for additional fields when hooking to attachment_fields_to_edit causes media library grid view not to work
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.7.3 |
| Component: | Media | Keywords: | |
| Focuses: | Cc: |
Description
When I'm adding additional fields to attachment_fields_to_edit hook, to show them on 'Attachment Details' screen, if I want to add a nonce field to ensure the security when saving these new fields, the media screen just hangs, and the loader just spins on and on.
I'm not getting any error in my error log, so I'm not quite sure why this happens.
I tried adding it as just
wp_nonce_field( 'new_attachment_fields', 'new_attachment_fields_nonce' );
Or as this
$form_fields['nonce']['label'] = '';
$form_fields['nonce']['input'] = 'html';
$form_fields['nonce']['html'] = wp_nonce_field( 'new_attachment_fields', 'new_attachment_fields_nonce' );
but in each time the loader hangs, and I cannot see any images in the grid view, and access the 'Attachment Details' screen.
Now I can add the fields without nonce, but how safe is that?
I'm updating post meta of the attachment, using update_post_meta() function, which properly sanitizes everything before writing it to the database, so is there a need to worry about this, or not?
Technically you can enable the 'Attachment Details' to appear on the front end using wp.media handler (for whatever reason), which exposes it to the public.
Is it necessary to add the nonce check before updating post meta, or am I being overly cautious/paranoid? :D
hello @dingo_bastard Thanks so much for your ticket! This is fixed in a later version of WordPress than the one reported from (4.7.3) and a nonce is now passed to ajax action. @joemcgill has confirmed in our recent media component meeting that this issue is no longer valid. Going to go ahead and close this out. :)