WordPress.org

Make WordPress Core

Opened 5 months ago

Closed 2 weeks ago

#51483 closed defect (bug) (fixed)

2 elements with non unique id #_wpnonce in post.php

Reported by: vandestouwe Owned by: ocean90
Milestone: 5.7 Priority: normal
Severity: normal Version: 5.0
Component: Editor Keywords: has-patch
Focuses: Cc:

Description

In the file post.php when a page is edited 2 element are found to have the same id.

  1. on line 2306: <?php wp_nonce_field( 'toggle-custom-fields'); ?>
  2. on line 2424: wp_nonce_field( $nonce_action);

Both forms are active causing a warning on the console of the webbrowser

In the included php file both lines have been given a unique id

Attachments (4)

post.php (243.9 KB) - added by vandestouwe 5 months ago.
The corrected post.php
51483.patch (1.0 KB) - added by vandestouwe 5 months ago.
The patch file to correct the issue
51483.2.patch (1.7 KB) - added by Mista-Flo 3 months ago.
Patch refreshed
51483.3.patch (1.4 KB) - added by Mista-Flo 5 weeks ago.
3rd patch to fix check admin referer

Download all attachments as: .zip

Change History (15)

@vandestouwe
5 months ago

The corrected post.php

#1 @Mista-Flo
5 months ago

  • Keywords reporter-feedback added

Hi @vandestouwe, welcome on trac!

Could you please provide a bit more information about the issue. Is that happening with the new block editor? Do you have some special plugins enabled like Classic Editor?

Could you also check these links in order to create a valid patch in trac.

https://make.wordpress.org/core/handbook/tutorials/working-with-patches/
https://make.wordpress.org/core/handbook/best-practices/writing-patches/

If you're familiar with code and git, you can use the wordpress-develop Github repository to easily contribute to WordPress: https://make.wordpress.org/core/handbook/contribute/git/

Last edited 5 months ago by Mista-Flo (previous) (diff)

@vandestouwe
5 months ago

The patch file to correct the issue

#2 @Mista-Flo
5 months ago

  • Keywords has-patch added

#3 @vandestouwe
5 months ago

I'm using the bock editor. The warning comes when i want to edit the page. No special plugins are installed. This is a normal page with a form as you can see in link: https://www.vandestouwe.com/subscribe when I want to edit this page you can find the warning message on the console of the web browser.

Last edited 5 months ago by vandestouwe (previous) (diff)

#4 @vandestouwe
5 months ago

  • Keywords reporter-feedback removed

#5 @noisysocks
3 months ago

  • Keywords needs-refresh added
  • Milestone changed from Awaiting Review to 5.7

I was able to confirm the bug locally.

@vandestouwe: Could you please refresh the patch? It no longer applies cleanly.

@Mista-Flo
3 months ago

Patch refreshed

#6 @Mista-Flo
3 months ago

  • Keywords needs-refresh removed

Hi @noisysocks I have refreshed the patch, applied coding standards and removed an unused local variable as well.

#7 @noisysocks
3 months ago

  • Keywords commit added

Thanks @Mista-Flo! LGTM, though we'll still want the space before the />.

#8 follow-up: @ocean90
6 weeks ago

  • Focuses ui coding-standards removed
  • Keywords needs-patch added; has-patch commit removed
  • Version changed from 5.5.1 to 5.0

This is related to #23165, especially the comment ticket:23165:15. For now I'd suggest to only change toggle-custom-fields. Please keep in mind that you also have to set the $query_arg parameter for the check_admin_referer() call.

@Mista-Flo
5 weeks ago

3rd patch to fix check admin referer

#9 in reply to: ↑ 8 @Mista-Flo
5 weeks ago

  • Keywords has-patch added; needs-patch removed

Replying to ocean90:

This is related to #23165, especially the comment ticket:23165:15. For now I'd suggest to only change toggle-custom-fields. Please keep in mind that you also have to set the $query_arg parameter for the check_admin_referer() call.

Hi @ocean90, good catch, thanks for the help! I fixed the issue in last patch

This ticket was mentioned in Slack in #core by hellofromtonya. View the logs.


2 weeks ago

#11 @ocean90
2 weeks ago

  • Owner set to ocean90
  • Resolution set to fixed
  • Status changed from new to closed

In 50255:

Block Editor: Use a unique name for the nonce of the custom fields toggle form.

Avoids a browser warning for having two elements with a non-unique id #_wpnonce on the post edit screen.

See #23165.
Fixes #51483.
Props vandestouwe, Mista-Flo.

Note: See TracTickets for help on using tickets.