[wp-trac] [WordPress Trac] #23165: Admin validation errors on form nonce element IDs (_wpnonce)

Thu Dec 19 19:41:07 UTC 2019

#23165: Admin validation errors on form nonce element IDs (_wpnonce)
-------------------------------------------------+-------------------------
 Reporter:  bpetty                               |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Security                             |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  needs-codex has-patch needs-refresh  |     Focuses:
                                                 |  administration
-------------------------------------------------+-------------------------

Comment (by aduth):

 As an update to my
 [https://core.trac.wordpress.org/ticket/23165#comment:14 previous
 comment], the duplicate ID console warnings appear to have landed in a
 stable version of Chrome. As of WordPress 5.3.2 in Chrome 79, navigating
 to the block editor (Posts > Add New) will display a console warning about
 non-unique IDs.

 As noted in previous comments, this could be resolved by using unique
 names for the two fields using the default `$name` on the editor screen:

 https://github.com/WordPress/wordpress-develop/blob/2fad299/src/wp-
 admin/includes/post.php#L2262
 https://github.com/WordPress/wordpress-develop/blob/2fad299/src/wp-
 admin/includes/post.php#L2380

 However, at least for the `update-post` nonce, this can have rippling
 side-effects, because the `'_wpnonce'` field name has hard-coded
 references elsewhere:

 https://github.com/WordPress/wordpress-develop/blob/2fad299/src/wp-
 admin/includes/post.php#L1934

 At least in this case, it might be enough to update the other `'toggle-
 custom-fields'` nonce field to avoid using the default name, but I was
 also curious to explore a solution at a framework level.

 As mentioned in the original comment, the original application of an ID to
 this element is unfortunate, and now that it exists, there would be
 backwards-compatibility concerns in removing it. However, we might still
 be able to work within this constraint by generating unique IDs for all
 but the first use of nonce name.

 The above patch takes this approach.

 Considering default use of the function in using a `$name` value of
 `'_wpnonce'`, this guarantees:

 - The `input` name will always be `'_wpnonce'`
 - Existing use relying on an ID of `'_wpnonce'` will continue to work as
 expected, since the ID will still be used for the first occurrence of the
 field in a page
 - Any reuse of the name will assign a unique ID by tracking an
 incrementing count (per name) in global scope.

 As far as implementation, a
 [https://www.php.net/manual/en/language.variables.scope.php#language.variables.scope.static
 static variable] scoped to the function could be used instead of a global
 variable. However, for the purpose of resetting this value between test
 cases, I admit to not being aware of an option to reset the internal
 static value.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/23165#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform