#54106 closed defect (bug) (fixed)
wp_nonce_field in get forms
Reported by: | msolution | Owned by: | pbearne |
---|---|---|---|
Milestone: | 6.1 | Priority: | normal |
Severity: | normal | Version: | |
Component: | General | Keywords: | has-unit-tests has-patch has-testing-info |
Focuses: | administration | Cc: |
Description
hey,
while testing one of plugins came across this issue.
recreate the issue:
- create an admin side form with method=get
- add wp_nonce_field() to the form, which in turn also gets wp_referer_field()
- every time u submit, the hidden field _wp_http_referer gets an additional version of _wp_http_referer in the value.
- there comes a time where the form is huge and it wont submit.
Solution:
we should have remove_query_arg() inside the function wp_referer_field(), to remove any instance of _wp_http_referer in the $_SERVER[REQUEST_URI]
Hope this helps.
Attachments (1)
Change History (28)
This ticket was mentioned in Slack in #core-test by hellofromtonya. View the logs.
3 years ago
@
3 years ago
A simple WordPress admin panel, which i was required to make the form method as get. It has a walker class listing items, the search form is what im talking about, after too many searches
This ticket was mentioned in PR #2242 on WordPress/wordpress-develop by pbearne.
3 years ago
#4
- Keywords has-patch has-unit-tests added
now removes _wp_http_referer from the url when creating a hidden input for _wp_http_referer
Trac ticket: https://core.trac.wordpress.org/ticket/54106
This ticket was mentioned in Slack in #core by mike. View the logs.
3 years ago
#7
@
3 years ago
- Keywords needs-patch needs-refresh added; has-patch removed
This ticket was checked into at a bug scrub for 6.0 today.
It looks like the PR has some changes requested, and needs a refresh against trunk.
I'm going to update the keywords, and also move it out of the milestone for that reason.
If it's ready before RC, feel free to move it back in for consideration.
Thanks for all your work here!
#9
@
2 years ago
- Keywords changes-requested has-patch added; needs-patch removed
Hi, @pbearne I left some feedback on PR Can you please address the PR feedback so it can move forward? It near to merge for 6.1 milestone.
#10
@
2 years ago
- Keywords needs-refresh changes-requested removed
Thanks @pbearne for addressing the PR feedback. PR is ready for the second review. @davidbaumwald Can you please re-review it?
mukeshpanchal27 commented on PR #2242:
2 years ago
#11
@dream-encode @costdev Can you please re-review?
mukeshpanchal27 commented on PR #2242:
2 years ago
#12
It's a core issue https://wordpress.slack.com/archives/C02RQBWTW/p1662025984130089?thread_ts=1661992665.658499&cid=C02RQBWTW That will be fixed soon, and then all tests will pass.
This ticket was mentioned in Slack in #core by audrasjb. View the logs.
2 years ago
#14
@
2 years ago
As per today's bug scrub, the current PR looks ready to go.
Thanks @Clorith for having a quick look on this with me :)
robinwpdeveloper commented on PR #2242:
2 years ago
#15
LGTM as well.
Thanks @pbearne
#16
@
2 years ago
Thanks to @audrasjb and @Clorith for the reviews. I was wondering if it was on your list for 6.1?
This ticket was mentioned in Slack in #core by chaion07. View the logs.
2 years ago
#18
@
2 years ago
- Keywords changes-requested added
@msolution thank you for reporting this. We reviewed the ticket during a recent bug-scrub session. Based on the feedback received we are making the following changes:
- Adding keyword changes-requested since @mukesh27 had reviewed the PR recently
- We are optimistic to see this land in 6.1 so hoping for the next steps to be executed ASAP!
Cheers!
Props to @mukesh27 @robinwpdeveloper & @hztyfoon
#19
@
2 years ago
Dear @chaion07, @mukesh27, @robinwpdeveloper, @hztyfoon @pbearne @mikeschroder
thanks for looking into this, looking forward to this being included.
#20
@
2 years ago
- Focuses performance removed
- Keywords needs-testing added; changes-requested removed
@adamsilverstein Indicated this is not performance related, and I tend to agree.
Also, this needs to be tested with the instructions at that top to see if the PR indeed does resolve the issue and that there aren't any unintended side effects.
I'm leaning toward punting this to 6.2 with 6.1 RC in a few days, but if this can be tested, I'm open to merging at that time.
#21
@
2 years ago
- Keywords has-testing-info added
Test Report
Patch tested: https://github.com/WordPress/wordpress-develop/pull/2242
Steps to Reproduce or Test
- Create a new file
wp-content/plugins/test_54106.php
with the following contents:<?php /** * Plugin Name: 54106 * Description: Adds an admin notice to test <a href='https://core.trac.wordpress.org/ticket/54106'>54106</a>. * Author: WordPress Core Contributors * Author URI: https://make.wordpress.org/core * License: GPLv2 or later * Version: 1.0.0 */ add_action( 'admin_notices', function() { printf( '<div class="notice notice-info">%1$s%2$s<form method="GET">%3$s%4$s</form><br></div>', '<p><strong>Testing instructions:</strong><br>Click "Submit" and note the entry for <code>_wp_http_referer</code> in the URL each time.</p>', '<p><strong>Expected results:</strong><br>Without patch: <code>_wp_http_referer</code> is repeatedly appended to the URL.<br>With patch: <code>_wp_http_referer</code> is not repeatedly appended to the URL.</p>', wp_nonce_field(), '<input type="submit">' ); } );
- Navigate to
Dashboard
. - 🐞 Submit the form in the admin notice. Then submit it again. Repeat as many times as you want to.
Expected Results
When reproducing a bug:
- ❌
_wp_http_referer
will be added multiple times to the URL and the hidden_wp_http_referer
form field.
When testing a patch to validate it works as expected:
- ✅
_wp_http_referer
will not be added multiple times to the URL and the hidden_wp_http_referer
form field.
Environment
- Server: Apache (Linux)
- WordPress: 6.1-beta2-54337-src
- Browser: Chrome 106.0.0.0
- OS: Windows 10
- Theme: Twenty Twenty-Two
- Plugins:
- 54106 1.0.0
Actual Results
When reproducing a bug:
- ❌ Issue reproduced.
_wp_http_referer
was added multiple times to the URL and the hidden_wp_http_referer
form field.
When testing a patch to validate it works as expected:
- ✅ Patch resolves the issue.
_wp_http_referer
was not added multiple times to the URL and the hidden_wp_http_referer
form field.
#22
@
2 years ago
- Keywords needs-testing removed
Test Report
I follow similar steps as above and it working fine.
Environment
- Server: Linux 06484d457c81
- WordPress: 6.1-beta3-54390-src
- Browser: Chrome 106.0.5249.103
- OS: Macos
- Theme: Twenty Twenty-Two
- Plugins:
- 54106 1.0.0
2 years ago
#24
Ah well… now it doesn't look good to me: this PR adds a new wpRefererFeld.php
file in tests, but there's already a wpRefererField.php
file :)
Ping @pbearne
mukeshpanchal27 commented on PR #2242:
2 years ago
#25
@audrasjb Can you please review it. It's ready for final review and merge.
2 years ago
#27
Committed in https://core.trac.wordpress.org/changeset/54449
Hello @msolution, thanks for opening the ticket.
Could you add more details to reproduce the issue? Where are you adding the admin form?
Do you mind adding a code snippet?