[wp-trac] [WordPress Trac] #54106: wp_nonce_field in get forms

Fri Oct 7 05:43:31 UTC 2022

#54106: wp_nonce_field in get forms
-------------------------------------------------+-------------------------
 Reporter:  msolution                            |       Owner:  pbearne
     Type:  defect (bug)                         |      Status:  assigned
 Priority:  normal                               |   Milestone:  6.1
Component:  General                              |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  has-unit-tests has-patch has-        |     Focuses:
  testing-info needs-testing                     |  administration
-------------------------------------------------+-------------------------
Changes (by costdev):

 * keywords:  has-unit-tests has-patch needs-testing => has-unit-tests has-
     patch has-testing-info needs-testing

Comment:

 == Test Report

 Patch tested: https://github.com/WordPress/wordpress-develop/pull/2242

 === Steps to Reproduce or Test
 1. Create a new file `wp-content/plugins/test_54106.php` with the
 following contents:
 {{{#!php
 <?php

 /**
  * Plugin Name: #54106
  * Description: Adds an admin notice to test <a
 href='https://core.trac.wordpress.org/ticket/54106'>54106</a>.
  * Author:      WordPress Core Contributors
  * Author URI:  https://make.wordpress.org/core
  * License:     GPLv2 or later
  * Version:     1.0.0
  */

 add_action(
         'admin_notices',
         function() {
                 printf(
                         '<div class="notice notice-info">%1$s%2$s<form
 method="GET">%3$s%4$s</form><br></div>',
                         '<p><strong>Testing
 instructions:</strong><br>Click "Submit" and note the entry for
 <code>_wp_http_referer</code> in the URL each time.</p>',
                         '<p><strong>Expected results:</strong><br>Without
 patch: <code>_wp_http_referer</code> is repeatedly appended to the
 URL.<br>With patch: <code>_wp_http_referer</code> is not repeatedly
 appended to the URL.</p>',
                         wp_nonce_field(),
                         '<input type="submit">'
                 );
         }
 );
 }}}
 2. Navigate to `Dashboard`.
 3. 🐞 Submit the form in the admin notice. Then submit it again. Repeat as
 many times as you want to.

 === Expected Results
 When reproducing a bug:
 - ❌ `_wp_http_referer` will be added multiple times to the URL and the
 hidden `_wp_http_referer` form field.

 When testing a patch to validate it works as expected:
 - ✅ `_wp_http_referer` will not be added multiple times to the URL and
 the hidden `_wp_http_referer` form field.

 === Environment
 * Server: Apache (Linux)
 * WordPress: 6.1-beta2-54337-src
 * Browser: Chrome 106.0.0.0
 * OS: Windows 10
 * Theme: Twenty Twenty-Two
 * Plugins:
   * Test #16502 1.0.0

 ==== Actual Results
 When reproducing a bug:
 - ❌ Issue reproduced. `_wp_http_referer` was added multiple times to the
 URL and the hidden `_wp_http_referer` form field.

 When testing a patch to validate it works as expected:
 - ✅ Patch resolves the issue. `_wp_http_referer` was not added multiple
 times to the URL and the hidden `_wp_http_referer` form field.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54106#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform