Ticket #2800 (closed enhancement: fixed)

Opened 2 years ago

Last modified 2 years ago

wp_nonce_field() could pass along HTTP_REFERER info

Reported by: markjaquith Assigned to: markjaquith
Priority: normal Milestone:
Component: Administration Version: 2.1
Severity: normal Keywords: has-patch 2nd-opinion
Cc:

Description

Sometimes we make use of the HTTP_REFERER in WordPress in order to redirect people after an action is performed.

Since all forms that do something use wp_nonce_field() anyway, we could just have wp_nonce_field echo out another hidden form input: 

echo '<input type="hidden" name="wp_http_referer" value="'. wp_specialchars(stripslashes($_SERVER['REQUEST_URI'])) . '" />';

Might be nice being able to count on that! I'd make it its own function, that wp_nonce_field would call.

Attachments

2800.diff (1.4 kB) - added by robmiller on 06/11/06 03:43:38.
2800.2.diff (1.3 kB) - added by robmiller on 06/11/06 03:53:51.
Oops. This works :)
wp_referer.diff (2.0 kB) - added by markjaquith on 06/11/06 09:40:51.
wp_referer 4

Change History

06/08/06 10:05:07 changed by westi

I like this.

We need to make check_admin_referer unset the value in the _POST array if the nonce check fails as we cannot trust the information then.

06/11/06 03:43:38 changed by robmiller

  • attachment 2800.diff added.

06/11/06 03:43:50 changed by robmiller

This what we're after?

06/11/06 03:53:51 changed by robmiller

  • attachment 2800.2.diff added.

Oops. This works :)

06/11/06 08:33:36 changed by markjaquith

Good start, but we also need to be able to carry a REF along multiple requests.

e.g.

  1. do something, passing along ref to #1
  2. do something else, carring along ref to #1
  3. return to #1.

This would obviously be two different fields. I'll whip something up.

06/11/06 09:30:29 changed by markjaquith

Something like this.

If your post will embark on a multiple-request journey before needing to return, you just manually invoke wp_original_referer_field() in the form. Forms in the interim only need to call the nonce call, and it'll pass on the original referer value. When you're ready for it, just call wp_get_original_referer() and you can zoom back to your starting location. An example case for that would be the new user editing stuff, whereby you return to the exact user search/browse page that you were on after you've performed multiple edits on a user's profile.

06/11/06 09:30:54 changed by markjaquith

  • keywords set to has-patch 2nd-opinion.
  • owner changed from anonymous to markjaquith.
  • status changed from new to assigned.

06/11/06 09:40:51 changed by markjaquith

  • attachment wp_referer.diff added.

wp_referer 4

06/24/06 05:38:39 changed by ryan

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [3908]) wp_get_referer() and friends from robmiller and markjaquith. fixes #2800

06/24/06 05:42:01 changed by ryan

(In [3909]) wp_get_referer() and friends from robmiller and markjaquith. fixes #2800

06/24/06 05:49:08 changed by ryan

  • milestone changed from 2.1 to 2.0.4.

I included a fix for #2853 when I committed this. Let's start spreading this to all places that use HTTP_REFERER. Now that referrers are not required to access the admin, people are tripping over redirect problems due to HTTP_REFERER being empty.

06/24/06 07:34:38 changed by ryan

(In [3918]) Use wp_get_referer(). fixes #2800

06/24/06 18:17:12 changed by ryan

(In [3919]) Have wp_referer_field() set the referer to the current page. fixes #2800

06/24/06 21:37:28 changed by ryan

(In [3923]) Use wp_get_referer(). fixes #2800 #2855

11/30/06 19:41:50 changed by

  • milestone deleted.

Milestone 2.0.4 deleted