Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#51483 closed defect (bug) (fixed)

2 elements with non unique id #_wpnonce in post.php

Reported by: vandestouwe's profile vandestouwe Owned by: ocean90's profile ocean90
Milestone: 5.7 Priority: normal
Severity: normal Version: 5.0
Component: Editor Keywords: has-patch
Focuses: Cc:

Description

In the file post.php when a page is edited 2 element are found to have the same id.

  1. on line 2306: <?php wp_nonce_field( 'toggle-custom-fields'); ?>
  2. on line 2424: wp_nonce_field( $nonce_action);

Both forms are active causing a warning on the console of the webbrowser

In the included php file both lines have been given a unique id

Attachments (4)

post.php (243.9 KB) - added by vandestouwe 4 years ago.
The corrected post.php
51483.patch (1.0 KB) - added by vandestouwe 4 years ago.
The patch file to correct the issue
51483.2.patch (1.7 KB) - added by Mista-Flo 4 years ago.
Patch refreshed
51483.3.patch (1.4 KB) - added by Mista-Flo 4 years ago.
3rd patch to fix check admin referer

Download all attachments as: .zip

Change History (15)

@vandestouwe
4 years ago

The corrected post.php

#1 @Mista-Flo
4 years ago

  • Keywords reporter-feedback added

Hi @vandestouwe, welcome on trac!

Could you please a bit more information about the issue. Is that happening with the new block editor? Do you have some special plugins enabled like Classic Editor?

Could you also check that link in order to create a valid patch in trac.

https://make.wordpress.org/core/handbook/tutorials/working-with-patches/
https://make.wordpress.org/core/handbook/best-practices/writing-patches/

If you're familiar with code and git, you can use the wordpress-develop Github repository to easily contribute to WordPress: https://make.wordpress.org/core/handbook/contribute/git/

Version 0, edited 4 years ago by Mista-Flo (next)

@vandestouwe
4 years ago

The patch file to correct the issue

#2 @Mista-Flo
4 years ago

  • Keywords has-patch added

#3 @vandestouwe
4 years ago

I'm using the bock editor. The warning comes when i want to edit the page. No special plugins are installed. This is a normal page with a form as you can see in link: https://www.vandestouwe.com/subscribe when I want to edit this page you can find the warning message on the console of the web browser.

Last edited 4 years ago by vandestouwe (previous) (diff)

#4 @vandestouwe
4 years ago

  • Keywords reporter-feedback removed

#5 @noisysocks
4 years ago

  • Keywords needs-refresh added
  • Milestone changed from Awaiting Review to 5.7

I was able to confirm the bug locally.

@vandestouwe: Could you please refresh the patch? It no longer applies cleanly.

@Mista-Flo
4 years ago

Patch refreshed

#6 @Mista-Flo
4 years ago

  • Keywords needs-refresh removed

Hi @noisysocks I have refreshed the patch, applied coding standards and removed an unused local variable as well.

#7 @noisysocks
4 years ago

  • Keywords commit added

Thanks @Mista-Flo! LGTM, though we'll still want the space before the />.

#8 follow-up: @ocean90
4 years ago

  • Focuses ui coding-standards removed
  • Keywords needs-patch added; has-patch commit removed
  • Version changed from 5.5.1 to 5.0

This is related to #23165, especially the comment ticket:23165:15. For now I'd suggest to only change toggle-custom-fields. Please keep in mind that you also have to set the $query_arg parameter for the check_admin_referer() call.

@Mista-Flo
4 years ago

3rd patch to fix check admin referer

#9 in reply to: ↑ 8 @Mista-Flo
4 years ago

  • Keywords has-patch added; needs-patch removed

Replying to ocean90:

This is related to #23165, especially the comment ticket:23165:15. For now I'd suggest to only change toggle-custom-fields. Please keep in mind that you also have to set the $query_arg parameter for the check_admin_referer() call.

Hi @ocean90, good catch, thanks for the help! I fixed the issue in last patch

This ticket was mentioned in Slack in #core by hellofromtonya. View the logs.


4 years ago

#11 @ocean90
4 years ago

  • Owner set to ocean90
  • Resolution set to fixed
  • Status changed from new to closed

In 50255:

Block Editor: Use a unique name for the nonce of the custom fields toggle form.

Avoids a browser warning for having two elements with a non-unique id #_wpnonce on the post edit screen.

See #23165.
Fixes #51483.
Props vandestouwe, Mista-Flo.

Note: See TracTickets for help on using tickets.