[wp-trac] [WordPress Trac] #40133: Adding nonce for additional fields when hooking to attachment_fields_to_edit causes media library grid view not to work

WordPress Trac noreply at wordpress.org
Sun Mar 12 15:20:43 UTC 2017 

#40133: Adding nonce for additional fields when hooking to
attachment_fields_to_edit causes media library grid view not to work
---------------------------+-----------------------------
 Reporter:  dingo_bastard  |      Owner:
     Type:  defect (bug)   |     Status:  new
 Priority:  normal         |  Milestone:  Awaiting Review
Component:  Media          |    Version:  4.7.3
 Severity:  normal         |   Keywords:
  Focuses:                 |
---------------------------+-----------------------------
 When I'm adding additional fields to `attachment_fields_to_edit` hook, to
 show them on 'Attachment Details' screen, if I want to add a nonce field
 to ensure the security when saving these new fields, the media screen just
 hangs, and the loader just spins on and on.

 I'm not getting any error in my error log, so I'm not quite sure why this
 happens.

 I tried adding it as just

 {{{#!php
 wp_nonce_field( 'new_attachment_fields', 'new_attachment_fields_nonce' );
 }}}

 Or as this

 {{{#!php
 $form_fields['nonce']['label'] = '';
 $form_fields['nonce']['input'] = 'html';
 $form_fields['nonce']['html'] = wp_nonce_field( 'new_attachment_fields',
 'new_attachment_fields_nonce' );
 }}}

 but in each time the loader hangs, and I cannot see any images in the grid
 view, and access the 'Attachment Details' screen.

 Now I can add the fields without nonce, but how safe is that?

 I'm updating post meta of the attachment, using `update_post_meta()`
 function, which properly sanitizes everything before writing it to the
 database, so is there a need to worry about this, or not?

 Technically you can enable the 'Attachment Details' to appear on the front
 end using `wp.media` handler (for whatever reason), which exposes it to
 the public.

 Is it necessary to add the nonce check before updating post meta, or am I
 being overly cautious/paranoid? :D

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40133>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list