Make WordPress Core

Opened 13 years ago

Closed 10 years ago

#6564 closed defect (bug) (wontfix)

Multiple admin forms means multiple ID="_wpnonce", rendering XHTML invalid

Reported by: markjaquith Owned by: markjaquith
Milestone: Priority: low
Severity: minor Version: 2.5
Component: Validation Keywords:
Focuses: Cc:


If you have more than one nonced admin form one page, you'll have multiple hidden inputs with an ID of "_wpnonce" which renders the XHTML invalid.

autosave.js appears to rely on that ID ... one solution would be to increment the ID each time it is used: _wpnonce, _wpnonce2, _wpnonce3.

It's a hidden form field, so the only real use for the ID is in jQuery, and it doesn't appear we're using it other than in autosave (and there's only one _wpnonce ID on the write screen).

Attachments (1)

6564.001.diff (816 bytes) - added by markjaquith 13 years ago.

Download all attachments as: .zip

Change History (13)

#1 @markjaquith
13 years ago

  • Keywords has-patch needs-testing added
  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

6564.001.diff uses _wpnonce{2,3,4...} if _wpnonce has already been used. The name stays as "_wpnonce" so this won't break the nonce functionality. Need to make sure that autosave isn't affected and that there aren't any instances of multiple _wpnonce's that are jQueried. I'm guessing there aren't, and even if there are, it should grab the first one anyway, so no change in functionality.

Still, needs testing.

#2 @DD32
12 years ago

Still, needs testing.

Just ran into this issue with some changes i'm making.

I've only looked at the patch, not tested it, But isnt there some changes needed to the validating function too?

#3 @DD32
12 years ago

I've only looked at the patch, not tested it, But isnt there some changes needed to the validating function too?

Bah.. Its late, I realised it was the ID attribute changing, not the Name attribute as i clicked Submit.

Tested and its works great for me, Allthough it uses _wpnonce, and then _wpnonce2 thats a small thing which shouldnt affect much.

I dont think theres any locations with jQuery and multiple forms either.. but probably deserves more investigation

#4 @DD32
12 years ago

any traction on commital?

#5 @hakre
12 years ago

use "name"-attribute and drop the "id"-attribute instead. that should be ok with HTML and it will fix that _wpnonce isn't a valid HTML ID value. I will take a look into it an provide a new patch.

#6 @hakre
12 years ago

similar problem with "_ajax_nonce", should be used as name as well instead as of ID.

#7 @Denis-de-Bernardy
11 years ago

  • Keywords needs-patch added; has-patch needs-testing removed

#8 @Denis-de-Bernardy
11 years ago

  • Component changed from Administration to Validation

#9 @hakre
11 years ago

Any interest to have a patch for 2.8.2?

#10 @azaozz
11 years ago

  • Milestone changed from 2.9 to Future Release

Not sure if we should do that. If more than one nonce is needed on the same page a much better option is to pass unique name/id to each: wp_nonce_field( 'check-this-nonce', 'for-this-name' );.

#12 @ocean90
10 years ago

  • Keywords needs-patch removed
  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from accepted to closed

In #13383 we have replaced all the multiple ID="_wpnonce" in core with a custom name/id, see comment:10.
Plugin/theme devs should do this too.
I wil close this ticket as wontfix. I someone think that this is essential, then re-open the ticket please.

Note: See TracTickets for help on using tickets.