WordPress.org

Ready to get started?Download WordPress

Forums

Is creating a nonce token for custom meta_box redundant? (3 posts)

  1. passepied
    Member
    Posted 1 year ago #

    Hello.
    Just as explained at Codex page for a function "add_meta_box", I added custom meta_box for a certain custom post type , like the following(using php5.3);

    add_action("add_meta_boxes_somepost_type", function(){
      add_meta_box("HooHoo","hoo", function($post){
        //render hidden input field for nonce
        wp_nonce_field("HooHoo","hoo");//<-----(*)
    
        //render some <input> or <select>elements...
    
        //(abbr.)
    
      );
    };
    add_action("save_post", function($post_id, $post){
      //verify nonce
      if(!wp_verify_nonce($POST["hoo"],"HooHoo")return;
    
      //and, verify anything else...
    
      add_post_meta($post_id, "hoo", sanitize_text_field($_POST["hoodata"]),true);
    },10,2);

    Also the example code shown at Codex Page, a callback for "add_meta_box" creates a special nonce token (at the above code(*)) and an action hooked into "save_post" verifies the token. But a default nonce token "_wpnonce" is also created and is verified before executing save_post action by a function "check_admin_referer" and consequently verification for CSRF is nealy completed before verifying the special nonce created at meta_box. I think it redundant to create and check a nonce token peculiar for a certain plugin.
    Anyone knows reasons for creating such a nonce at meta_box?

  2. bcworkz
    Member
    Posted 1 year ago #

    I'm not sure of this, but I believe this is because the 'save_post' action can fire for a number of reasons, some of which there may not be a meta box value to save in $_POST, resulting in an error when the code tries to access it. The nonce confirms the form existed for the particular action that fired.

    It would probably suffice to use array_key_exists() for this purpose because, as you pointed out, the security issues relating to nonce use are handled by the main form handler. In this case, I think the nonce is merely a flag for "safe to save value" as opposed to it's normal use as "POST request is legitimate".

    This is just my opinion. I speak with no special authority or knowledge of the Codex author's intent.

  3. passepied
    Member
    Posted 1 year ago #

    Thank you for your opinion!

Topic Closed

This topic has been closed to new replies.

About this Topic