Email link URLs and Nonce

[GoogleCodeExporter]

Although I did my best (with WP's utterly crappy doc of nonce at the time) to 
make mail digest URL 
be both secure and working, they seem to be broken again in recent versions of 
WP.

I would suggest looking into the [hopefully more complete by now] doc for nonce 
and establish a 
system so that:
- email links get a WP nonce valid for a while
- if the nonce is no longer valid, WP displays a valid "Are you sure you want 
to do that?" msg that 
really forwards to the appropriate page (at the moment, it's broken... possibly 
WP API's fault)

Original issue reported on code.google.com by [email protected] on 24 Jul 2008 at 6:27

[GoogleCodeExporter]

Rather than nonces, how about an "are you sure?" on the SK2 end?

Nonces really aren't as good for email links, IMO.

(In fact, how would you do that?  An email link can't POST, can it?  WP nonces 
only
work for forms)

Original comment by [email protected] on 20 Aug 2008 at 3:01

[GoogleCodeExporter]

As I said: nonces were practically undocumented at the time, but I'm pretty 
sure they were accepted through GET, not just POST (much like practically 
anything else in WP, AFAIK).

Not sure what you mean by just an "are you sure" message. The point of nonces 
is not just to avoid mistakes, it's mainly to avoid any sort of dangerous 
exploits using URLs... A backend script should never do something potentially 
drastic (such as deleting or flagging comments) on an openly exposed URL.
That being said, it seems WP has a mechanism in place to fall back on when an 
invalid nonce is provided, which automatically displays this "are you sure" 
message... But frankly not sure how that works (this might provide some hints 
in the right direction: http://core.trac.wordpress.org/ticket/2734)

Original comment by [email protected] on 20 Sep 2011 at 7:41