[wp-trac] [WordPress Trac] #21277: Remove unused nonce fields in site-themes.php and site-users.php

WordPress Trac wp-trac at lists.automattic.com
Sun Jul 15 05:18:54 UTC 2012


#21277: Remove unused nonce fields in site-themes.php and site-users.php
---------------------------+-----------------------------
 Reporter:  jeremyfelt     |      Owner:
     Type:  enhancement    |     Status:  new
 Priority:  normal         |  Milestone:  Awaiting Review
Component:  Network Admin  |    Version:  3.1
 Severity:  trivial        |   Keywords:  has-patch
---------------------------+-----------------------------
 In [[changeset:16242]] from [[ticket:14897]], `check_admin_referer( 'edit-
 site' )` was removed during a massive reorg of site-themes.php. Additional
 nonce checks were added via the nonce audit in [[ticket:15969]], but the
 nonce field generation for the original edit-site was never removed. This
 currently results in the generation of two hidden inputs with
 `name="_wp_nonce"`.

 `check_admin_referer( 'edit-site' )` was also removed for site-users.php
 in [[changeset:16560]], but the 2 associated nonce field(s) remained. A
 3rd 'edit-site' nonce field was added in [[changeset:16585]] when a new
 form was added, but that has been unnecessary.

 The attached patch removes all 4 instances of `wp_nonce_field( 'edit-site'
 )` across site-themes.php and site-users.php as they are no longer
 required in either.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/21277>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list