[wp-trac] [WordPress Trac] #42477: Cannot save theme customizer changes if nonce_life value is filtered in the active theme
WordPress Trac
noreply at wordpress.org
Thu Nov 9 20:13:44 UTC 2017
#42477: Cannot save theme customizer changes if nonce_life value is filtered in the
active theme
--------------------------+------------------------------
Reporter: figureone | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: 4.8.3
Severity: normal | Resolution:
Keywords: | Focuses: administration
--------------------------+------------------------------
Comment (by figureone):
Thanks @dd32, here's a simple demonstration theme (child theme of
twentyseventeen) that simply changes the nonce_life value:
https://github.com/uhm-coe/twentyseventeen-child-demonstrate-nonce_life-
bug
If you activate that theme and then go into the theme customizer, you'll
see the behavior:
* Changing a value (e.g., Site Title), then clicking //Save & Publish//,
then refreshing the page will show that the change was not made (it fails
silently).
* Changing a value (e.g., Site Title), then blurring the page by clicking
outside the window will successfully create a changeset. If you then click
//Save & Publish//, the changeset does get published.
In tracing the code, I discovered the inconsistent behavior was because
the ajax action for submitting changeset data uses
`$_POST['customize_changeset_data']`, while the ajax action for the //Save
& Publish// button uses `$_POST['customized']`. The core commit referenced
in the OP only clears `$_POST['customized']` if the nonce check fails.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42477#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list