wp_nonce_field in get forms

[msolution]

hey,
while testing one of plugins came across this issue.
recreate the issue:

1. create an admin side form with method=get
2. add wp_nonce_field() to the form, which in turn also gets wp_referer_field()
3. every time u submit, the hidden field _wp_http_referer gets an additional version of _wp_http_referer in the value.
4. there comes a time where the form is huge and it wont submit.

Solution:
we should have remove_query_arg() inside the function wp_referer_field(), to remove any instance of _wp_http_referer in the $_SERVER[REQUEST_URI]

Hope this helps.

[justinahinon]

Hello @msolution, thanks for opening the ticket.

Could you add more details to reproduce the issue? Where are you adding the admin form?
Do you mind adding a code snippet?

[msolution]

A simple WordPress admin panel, which i was required to make the form method as get. It has a walker class listing items, the search form is what im talking about, after too many searches

now removes _wp_http_referer from the url when creating a hidden input for _wp_http_referer

Trac ticket: https://core.trac.wordpress.org/ticket/54106

[kirasong]

This ticket was checked into at a ​bug scrub for 6.0 today.

It looks like the PR has some changes requested, and needs a refresh against trunk.

I'm going to update the keywords, and also move it out of the milestone for that reason.

If it's ready before RC, feel free to move it back in for consideration.

Thanks for all your work here!

[mukesh27]

Hi, @pbearne I left some feedback on PR Can you please address the PR feedback so it can move forward? It near to merge for 6.1 milestone.

[mukesh27]

Thanks @pbearne for addressing the PR feedback. PR is ready for the second review. @davidbaumwald Can you please re-review it?

@dream-encode @costdev Can you please re-review?

It's a core issue ​https://wordpress.slack.com/archives/C02RQBWTW/p1662025984130089?thread_ts=1661992665.658499&cid=C02RQBWTW That will be fixed soon, and then all tests will pass.

[audrasjb]

As per today's bug scrub, the current PR looks ready to go.
Thanks @Clorith for having a quick look on this with me :)

LGTM as well.
Thanks @pbearne

[mukesh27]

Thanks to @audrasjb and @Clorith for the reviews. I was wondering if it was on your list for 6.1? 

[chaion07]

@msolution thank you for reporting this. We reviewed the ticket during a recent bug-scrub session. Based on the feedback received we are making the following changes:

1. Adding keyword changes-requested since @mukesh27 had reviewed the PR recently
2. We are optimistic to see this land in 6.1 so hoping for the next steps to be executed ASAP!

Cheers!

Props to @mukesh27 @robinwpdeveloper & @hztyfoon

[msolution]

Dear @chaion07, @mukesh27, @robinwpdeveloper, @hztyfoon @pbearne @mikeschroder
thanks for looking into this, looking forward to this being included.

[davidbaumwald]

@adamsilverstein Indicated this is not performance related, and I tend to agree.

Also, this needs to be tested with the instructions at that top to see if the PR indeed does resolve the issue and that there aren't any unintended side effects.

I'm leaning toward punting this to 6.2 with 6.1 RC in a few days, but if this can be tested, I'm open to merging at that time.

[costdev]

Test Report

Patch tested: ​https://github.com/WordPress/wordpress-develop/pull/2242

Steps to Reproduce or Test

1. Create a new file wp-content/plugins/test_54106.php with the following contents:

   <?php
   
   /**
    * Plugin Name: 54106
    * Description: Adds an admin notice to test <a href='https://core.trac.wordpress.org/ticket/54106'>54106</a>.
    * Author:      WordPress Core Contributors
    * Author URI:  https://make.wordpress.org/core
    * License:     GPLv2 or later
    * Version:     1.0.0
    */
   
   add_action(
           'admin_notices',
           function() {
                   printf(
                           '<div class="notice notice-info">%1$s%2$s<form method="GET">%3$s%4$s</form><br></div>',
                           '<p><strong>Testing instructions:</strong><br>Click "Submit" and note the entry for <code>_wp_http_referer</code> in the URL each time.</p>',
                           '<p><strong>Expected results:</strong><br>Without patch: <code>_wp_http_referer</code> is repeatedly appended to the URL.<br>With patch: <code>_wp_http_referer</code> is not repeatedly appended to the URL.</p>',
                           wp_nonce_field(),
                           '<input type="submit">'
                   );
           }
   );
   

2. Navigate to Dashboard.
3. 🐞 Submit the form in the admin notice. Then submit it again. Repeat as many times as you want to.

Expected Results

When reproducing a bug:

• ❌ _wp_http_referer will be added multiple times to the URL and the hidden _wp_http_referer form field.

When testing a patch to validate it works as expected:

• ✅ _wp_http_referer will not be added multiple times to the URL and the hidden _wp_http_referer form field.

Environment

• Server: Apache (Linux)
• WordPress: 6.1-beta2-54337-src
• Browser: Chrome 106.0.0.0
• OS: Windows 10
• Theme: Twenty Twenty-Two
• Plugins:
  • 54106 1.0.0

Actual Results

When reproducing a bug:

• ❌ Issue reproduced. _wp_http_referer was added multiple times to the URL and the hidden _wp_http_referer form field.

When testing a patch to validate it works as expected:

• ✅ Patch resolves the issue. _wp_http_referer was not added multiple times to the URL and the hidden _wp_http_referer form field.

[mukesh27]

Test Report

I follow similar steps as above and it working fine.

Environment

• Server: Linux 06484d457c81
• WordPress: 6.1-beta3-54390-src
• Browser: Chrome 106.0.5249.103
• OS: Macos
• Theme: Twenty Twenty-Two
• Plugins:
  • 54106 1.0.0

[audrasjb]

Self assigning for final testing and commit.

Ah well… now it doesn't look good to me: this PR adds a new wpRefererFeld.php file in tests, but there's already a wpRefererField.php file :)

Ping @pbearne

@audrasjb Can you please review it. It's ready for final review and merge.

[audrasjb]

In 54449:

General: Remove instances of _wp_http_referer from GET forms in the admin.

This changeset removes all instances of _wp_http_referer variable from the URL when creating a hidden input for _wp_http_referer. It prevents the hidden field from having an additional version of _wp_http_referer each time the form is submitted.

Props msolution, justinahinon, pbearne, mikeschroder, mukesh27, audrasjb, Clorith, chaion07, robinwpdeveloper, hztyfoon, davidbaumwald, costdev, adamsilverstein.
Fixes #54106.

Committed in https://core.trac.wordpress.org/changeset/54449