[wp-hackers] Any other way to do it? (or, do we really need
Nonces?)
Jeremy Visser
jeremy.visser at gmail.com
Sat Mar 3 03:30:21 GMT 2007
Elliotte Harold wrote:
> We've been down this road before. Believe it or not the answer seems to
> be so WP can style the buttons and links a certain way, nothing more.
This sounds like a _really_ bad reason to do so. (Perhaps even against
WP's philosophy?)
It is really not hard to style a <button> or <input> like a link:
input[type=submit], input[type=button], input[type=reset],
button {
border: none;
background-color: transparent;
font-family: inherit;
color: blue;
text-decoration: underline;
}
> It really is broken, and is going to continue to be a cause of security
> holes, but I have personally despaired of this being fixed short of a fork.
It is not going to eliminate security holes. Even on POST forms, you
still need the nonce:
<input type="hidden" name="nonce" value="_deadbeef" />
But with the POST forms, at least it stops a rogue prefetching program
like Google Web Accelerator from randomly deleting posts/comments.
Well, I have to admit GWA isn't a problem anymore, as it's hardcoded not
to prefetch links that contain a '?' in them. Apparently, Backpack users
complained of things disappearing by themselves, and they narrowed down
the cause to GWA.
More information about the wp-hackers
mailing list