[wp-trac] [WordPress Trac] #43667: signup_nonce_check does not use wp_verify_nonce.
WordPress Trac
noreply at wordpress.org
Mon Apr 9 17:22:30 UTC 2018
#43667: signup_nonce_check does not use wp_verify_nonce.
-------------------------------------+------------------------
Reporter: herregroen | Owner: flixos90
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 5.0
Component: Login and Registration | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch needs-refresh | Focuses: multisite
-------------------------------------+------------------------
Changes (by flixos90):
* keywords: has-patch => has-patch needs-refresh
Comment:
Some thoughts:
* Do we need to add the link to the registration form? When clicking that,
the user will have to re-enter their data. Without a link present, the
user would likely hit the browser's back button, still having their data
present.
* It's clear that the above isn't user-friendly in either case. I just
noticed that when this error happens, the `wp_die()` is executed ''in''
the HTML content, causing ridiculously invalid markup. Since the method is
hooked into the `wpmu_validate_blog_signup` and
`wpmu_validate_user_signup` filters, both of which pass a `$result` array
containing an `errors` key which is a `WP_Error` object, I think we should
instead add that message to that `WP_Error` instance. This should cause it
to be printed out in the content correctly, and the process will still
fail. In that case, of course a link is no longer necessary anyway.
While the issue described under the second point is not caused by this
patch, I think while we fix this one issue, we might as well fix the other
as it's clearly broken.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43667#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list