WordPress.org

Make WordPress Core

Opened 3 months ago

Last modified 2 months ago

#54106 new defect (bug)

wp_nonce_field in get forms

Reported by: msolution Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: administration, performance Cc:

Description

hey,
while testing one of plugins came across this issue.
recreate the issue:

  1. create an admin side form with method=get
  2. add wp_nonce_field() to the form, which in turn also gets wp_referer_field()
  3. every time u submit, the hidden field _wp_http_referer gets an additional version of _wp_http_referer in the value.
  4. there comes a time where the form is huge and it wont submit.

Solution:
we should have remove_query_arg() inside the function wp_referer_field(), to remove any instance of _wp_http_referer in the $_SERVER[REQUEST_URI]

Hope this helps.

Attachments (1)

54106.txt (1.2 KB) - added by msolution 8 weeks ago.
A simple WordPress admin panel, which i was required to make the form method as get. It has a walker class listing items, the search form is what im talking about, after too many searches

Download all attachments as: .zip

Change History (3)

This ticket was mentioned in Slack in #core-test by hellofromtonya. View the logs.
2 months ago

#2 @justinahinon
2 months ago

Hello @msolution, thanks for opening the ticket.

Could you add more details to reproduce the issue? Where are you adding the admin form?
Do you mind adding a code snippet?

@msolution
8 weeks ago

A simple WordPress admin panel, which i was required to make the form method as get. It has a walker class listing items, the search form is what im talking about, after too many searches

Note: See TracTickets for help on using tickets.