Opened 17 years ago
Closed 15 years ago
#6564 closed defect (bug) (wontfix)
Multiple admin forms means multiple ID="_wpnonce", rendering XHTML invalid
Reported by: | markjaquith | Owned by: | markjaquith |
---|---|---|---|
Milestone: | Priority: | low | |
Severity: | minor | Version: | 2.5 |
Component: | Validation | Keywords: | |
Focuses: | Cc: |
Description
If you have more than one nonced admin form one page, you'll have multiple hidden inputs with an ID of "_wpnonce" which renders the XHTML invalid.
autosave.js appears to rely on that ID ... one solution would be to increment the ID each time it is used: _wpnonce, _wpnonce2, _wpnonce3.
It's a hidden form field, so the only real use for the ID is in jQuery, and it doesn't appear we're using it other than in autosave (and there's only one _wpnonce ID on the write screen).
Attachments (1)
Change History (13)
#1
@
17 years ago
- Keywords has-patch needs-testing added
- Owner changed from anonymous to markjaquith
- Status changed from new to assigned
#2
@
17 years ago
Still, needs testing.
Just ran into this issue with some changes i'm making.
I've only looked at the patch, not tested it, But isnt there some changes needed to the validating function too?
#3
@
17 years ago
I've only looked at the patch, not tested it, But isnt there some changes needed to the validating function too?
Bah.. Its late, I realised it was the ID attribute changing, not the Name attribute as i clicked Submit.
Tested and its works great for me, Allthough it uses _wpnonce, and then _wpnonce2 thats a small thing which shouldnt affect much.
I dont think theres any locations with jQuery and multiple forms either.. but probably deserves more investigation
#5
@
16 years ago
use "name"-attribute and drop the "id"-attribute instead. that should be ok with HTML and it will fix that _wpnonce isn't a valid HTML ID value. I will take a look into it an provide a new patch.
#6
@
16 years ago
similar problem with "_ajax_nonce", should be used as name as well instead as of ID.
#10
@
15 years ago
- Milestone changed from 2.9 to Future Release
Not sure if we should do that. If more than one nonce is needed on the same page a much better option is to pass unique name/id to each: wp_nonce_field( 'check-this-nonce', 'for-this-name' );
.
#12
@
15 years ago
- Keywords needs-patch removed
- Milestone Future Release deleted
- Resolution set to wontfix
- Status changed from accepted to closed
In #13383 we have replaced all the multiple ID="_wpnonce" in core with a custom name/id, see comment:10.
Plugin/theme devs should do this too.
I wil close this ticket as wontfix. I someone think that this is essential, then re-open the ticket please.
6564.001.diff
uses _wpnonce{2,3,4...} if _wpnonce has already been used. The name stays as "_wpnonce" so this won't break the nonce functionality. Need to make sure that autosave isn't affected and that there aren't any instances of multiple _wpnonce's that are jQueried. I'm guessing there aren't, and even if there are, it should grab the first one anyway, so no change in functionality.Still, needs testing.