Authorization and intention/origination verification when using the edit_post hook
There have been reports of plugins that have started erasing their managed Custom Fields upon actions like comment submission. UTW was bitten, as was Jerome’s Keywords and some other plugins that use custom fields.
The problem was brought to light with the release of WordPress 2.1, but circumstances exist in older WP versions that would trigger these issues in some plugins.
The plugins are doing this:
- A plugin inserts a special form field into the post edit form
- The plugin monitors the form field by hooking into
edit_post - When the form value is empty or doesn’t exist, the plugin assumes the user deleted what was in it, and procedes to delete all the custom values the plugin had stored for that post
The issue occurs because the plugins assume that every time edit_post is triggered, their inserted form field will be included in $_POST. This isn’t the case. edit_post is called for requests that do not originate from the post edit form and for requests that are not initiated by a privileged user. Comment submission in WordPress 2.1 is one of these cases. Editing of a post in 2.1 (and earlier versions) via XML-RPC is another case.
Plugins cannot assume that the absence of a POST field means that POST field existed in an empty state, and plugins cannot assume that all calls to edit_post are performed by privileged users.
Here are the two things that plugins must do:
- Verify that the user performing the action is authorized to perform the action by using the
current_user_can()function or its siblings. - Verify intention of the user and the origination of the request by embedding a hidden form field with a nonce value, along with your usual custom field.
Here is an example:
function your_form_hook() {
echo '<input type="text" name="your-plugin" id="your-plugin"
value="' . your_get_value() . '" />
<input type="hidden" name="your-plugin-verify-key" id="your-plugin-verify-key"
value="' . wp_create_nonce('your-plugin') . '" />';
}
add_action('edit_form_advanced', 'your_form_hook');
function your_edit_post_hook($post_id) {
// authorization
if ( !current_user_can('edit_post', $post_id) )
return $post_id;
// origination and intention
if ( !wp_verify_nonce($_POST['your-plugin-verify-key'], 'your-plugin') )
return $post_id;
your_update($post_id); // do the actual update here
return $post_id;
}
add_action('edit_post', 'your_edit_post_hook');
This is a post aimed at plugin authors, so I’d appreciate it if we could save the comment space below for plugin authors who have questions about this topic. If a particular plugin you’re using is erasing Custom Fields, please contact its author directly.
Note: I’ve mentioned the edit_post hook, but there are other similar hooks that the above also applies to. publish_post and save_post are two that come to mind.


[...] Mark 在他的 Blog 上解释了原因。其实这个问题并不单是 WordPress 2.1 [...]
WP 2.1 和 UTW 的兼容性问题 | 巧克力工厂 (Beta3)
January 28, 2007 at 8:58 am
Wow, well presented complex scenario!
Lloyd Budd
January 28, 2007 at 9:47 am
[...] 5. Ultimate Tag Warrior – There apparently is a bug with this plugin and WP 2.1. Adding a comment and approving it removes any tags from a post. I have not attempted to fix this, but it looks like Mark Jaquith has already found the issue. [...]
Tech Projects » Upgraded to WP 2.1
January 28, 2007 at 2:00 pm
What’s your_get_value() supposed to return?
Joshua
January 28, 2007 at 5:03 pm
OK, I guess your_get_value() was just an example of the plugin functionality. I thought it was part of the verification model.
Joshua
January 28, 2007 at 6:23 pm
Joshua,
Yes, all
your_*()functions are user functions. For security reasons, when presenting a value in an HTMLvalueattribute, you’d do something like runningattribute_escape()on a postmeta value.Mark Jaquith
January 28, 2007 at 7:37 pm
Hi Mark,
So is there no way to pass extra form data using the XML-RPC API? I’m the author of Gengo, a multilingual plugin, and a number of people have expressed a wish to blog in multiple languages using the remote API. At the moment, because of the situation you describe above, the best I can do is set each remotely posted article as being written in the default language… Not a disaster, but not awesome… Though come to think of it, do you know of any remote authoring editors that can even send custom fields?
Anyway, nice to get official confirmation of this – thought I was going nuts!
Cheers,
Jamie Talbot
January 29, 2007 at 9:34 am
[...] where some other people also were facing the same problem. With a little more digging I found an excellent explanation by Mark, where he describes the exact problem and also the solution. I am not going to explain the problem [...]
Night Dreaming (by Sudar) » WordPress 2.1 and custom field plugin Gotcha
January 31, 2007 at 2:19 pm
[...] these old versions suffer from the empties custom fields problem. Don’t use them with [...]
Basic Bilingual and Bunny’s Technorati Tags Plugins Updated for WordPress 2.1 at Climb to the Stars (Stephanie Booth)
January 31, 2007 at 7:54 pm
[...] beschreibt in seinem Artikel “Authorization and intention/origination verification when using the edit_post hook” was PlugIn-Autoren bei der Anpassung und Programmierung neuer PlugIns für WordPress 2.1 [...]
Wordpress 2.1, PlugIns, Customs Fields und edit_post-Hook bei im web gefunden
February 2, 2007 at 11:16 am
[...] (e non solo, in alcuni casi) release di WordPress causano il fastidioso problema dei campi personalizzati vuoti, in pratica l’effetto sopra descritto. Per eliminare il bug, è bastato scaricare dal sito di [...]
Bunny’s Technorati Tags « 77click
February 4, 2007 at 4:57 am
Many thanks for this post! Yesterday I’ve released a tagging plugin which is based on Jerome’s Keywords (see Simple Tagging Plugin) and a user has reported about the issue of removing all tags when editing comments under WP 2.1. Now I’ve implemented your suggestion and it works like a charm
Michael Woehrer
February 5, 2007 at 3:29 pm
[...] WordPress Plugins Need to Fix Custom Fields: Mark Jaquith announced a problem with older WordPress Plugins regarding the edit_post hook. This causes a conflict with WordPress Plugins which use the Custom [...]
WordPress Wednesday: Custom Fields Contest and Lots of WordPress.com News at The Blog Herald
February 7, 2007 at 3:39 am
[...] Mark Jaquith sposta la questione sui problemi che alcuni plugin come Ultimate Tag Warrior e Jerome’s Keywords possono creare con la nuova versione. [...]
Dopo l’arrivo della versione 2.1 il mondo WordPress è in fermento
February 7, 2007 at 2:00 pm
[...] Técnica en inglés y solución con ejemplos—–>>>>AquíPor suerte Sudar resolvió el problema para el plugin específico Bunny’s [...]
Bunny’s Technorati Tags y WP 2.1 - Bug solucionado | Maguila v2.0
February 8, 2007 at 10:22 pm
[...] Since the edit_post hook is called from all over the place, I’ve associated a nonce1 with the checkbox that the user fills out for the miniposts. That allows the plugin to tell the difference between a legitimate change request, and a random one triggered by the promiscuous edit_post hook. That approach was suggested by Mark Jaquith. [...]
Pie Palace · MiniPosts 0.6.4 - Bugfix de jour
February 10, 2007 at 1:56 pm
[...] when used in WordPress 2.1 – posting comments caused a post’s avatar to disappear. Thanks to Mark Jaquith’s post, I’ve identified and fixed (yay!) the [...]
Post Avatar 1.2.2 - Garinungkadol
February 12, 2007 at 5:08 am
[...] il plugin Jerome’s Keywords 2.0-beta3 presenta dei problemi che portano alla perdita dei tag impostati per gli articoli se viene utilizzato in combinazione con [...]
rbnet.it weblog » Archivio blog » Blog aggiornato a Wordpress 2.1
March 2, 2007 at 5:58 pm
[...] da quanto avevo scritto in precedenza, il plugin Jerome’s Keywords 2.0-beta3 presenta dei noti problemi che portano alla perdita dei tag impostati per gli articoli se viene utilizzato in [...]
rbnet.it weblog » Archivio blog » Tag e Wordpress 2.1.x
March 2, 2007 at 6:21 pm
[...] problem but today I noticed it hasd happened again so I went searching and, thanks to Mark Jaquith, have now got the answer The issue occurs because the plugins assume that every time edit_post is triggered, their inserted [...]
Solution to my problem « binarymoon
March 24, 2007 at 8:15 am
Sorry for an off-topic question, but can you please let me know which technique did you use to post the code snippet in this post? I’ve been struggling with WordPress.com’s posting thing which kills indentation, converts brackets, and does all sorts of other nasty things to code.
TIA.
Leonid Mamchenkov
June 23, 2007 at 9:32 am
Leonid,
I used <pre> and then manually encoded my entities, like &< for < and > for > See also " for " There are probably online tools that can do this for you.
Mark Jaquith
June 26, 2007 at 12:58 am
Mark,
thanks. I think I’ll stay with editor screenshots for my WordPress Bits for a little while longer. It’s ugly, but it works.
Leonid Mamchenkov
August 8, 2007 at 9:03 pm
[...] (or maybe will never) here’s the fix. Took me around a half hour of hacking. Thanks to this excellent guide. [The problem was every time somebody commented I lost the ‘mini-postiness’ of the [...]
Vysnu » MiniPosts fix
August 10, 2007 at 2:31 pm
Привет.
Продаю персональный сертификат WebMoney за $99.
Можете проверить: WMID 322973398779 Redfern
Всё чисто, не одной жалоб. Сделан на утерянные документы. Всё законно.
Если нужно, то есть сертификаты ещё.
Стучацо в личную почту на Вебмани.
Это не спам. Не пишите на мой WMID жалобы в арбитраж Вебмани.
Varseoppova
October 5, 2007 at 9:33 am
Привет.
Продаю персональный сертификат WebMoney за $99.
Можете проверить: WMID 322973398779 Redfern
Всё чисто, не одной жалоб. Сделан на утерянные документы. Всё законно.
Если нужно, то есть сертификаты ещё.
Стучацо в личную почту на Вебмани.
Это не спам. Не пишите на мой WMID жалобы в арбитраж Вебмани.
Varseoppova
October 7, 2007 at 6:13 pm
Sorry
Odysseus
January 21, 2008 at 10:21 pm
[...] il plugin Jerome’s Keywords 2.0-beta3 presenta dei problemi che portano alla perdita dei tag impostati per gli articoli se viene utilizzato in combinazione con [...]
rbnet.it » Archivio blog » Blog aggiornato a Wordpress 2.1
August 9, 2008 at 4:27 pm
[...] da quanto avevo scritto in precedenza, il plugin Jerome’s Keywords 2.0-beta3 presenta dei noti problemi che portano alla perdita dei tag impostati per gli articoli se viene utilizzato in [...]
rbnet.it » Archivio blog » Tag e Wordpress 2.1.x
August 9, 2008 at 5:03 pm
[...] is a problem up to version 0.3, sorry. See Mark’s explanation and download 0.31, which should [...]
» Basic Bilingual - WordPress Plugins Catalog
November 29, 2008 at 8:13 pm
Very interesting Read Mark, thanks.
Diego Massanti
March 6, 2009 at 2:35 am
[...] the keywords) and the plugin assumes that the post has no keywords or you’ve deleted them. Mark Jaquith wrote about this behavior earlier this [...]
Fixing Jerome’s Keywords and WordPress 2.1 | rapid-DEV.net
June 15, 2009 at 1:28 am
Hii sir, this time i’m used blogspot to make some article, and now i would like to make article with wordpress platform. I search with google and i found this site. thanks for your info about wordpress. I think can add my knowledge about this platform
Mobile Solution Blog
July 5, 2009 at 10:15 am