Hiya Guido!
I would expect VSCF to already use its own nonce to verify the form data source, so you shouldn’t need to explicitly add your own nonce field for that purpose. If you need it for other purposes, use a different field ID/name and a different seed string to generate the nonce. Similar for the form handling code, VSCF should verify its nonce, you shouldn’t need to unless you’ve replaced the normal VSCF form handler.
To be clear, I’m only speculating, I’ve no experience with the VSCF plugin. To be certain, you should inquire at the VSCF dedicated support forum.
Thread Starter
Guido
(@guido07111975)
Hi BC!
I’m the developer of the VSCF plugin… 😉
Have added the nonce in my plugin because it can store form submissions in the database. And I want to do this safely, that’s why I’ve added the nonce.
But if you inspect the source code of the webpage I’ve added you will notice the nonce is generated twice. Strange… or not?
Guido
Hi!
The problem is in this line. By default wp_nonce_field() echoes the fields, so when you assign it’s return to $nonce you’re also echoing it.
Change
$nonce = wp_nonce_field( 'vscf_nonce_action', 'vscf_nonce' );
to
$nonce = wp_nonce_field( 'vscf_nonce_action', 'vscf_nonce', true, false );
and it will probably just echo the fields in line #339, like you’ve planned 🙂
Thread Starter
Guido
(@guido07111975)
Hi Felipe,
Yes indeed, that does the trick 🙂 Thanks. Resolved.
Guido
