Do I have to have a nonce for a custom comment field?

im working on my comment section and I have added a custom field

<input type="hidden" name="be_user_star_rating" id="be_user_star_rating" value="" />

Its value is beign set by Javascript.

Validating it with something like this:

add_action( 'comment_post', 'be_comment_rating_insert_comment', 10, 1 );
function be_comment_rating_insert_comment( $comment_id )
{
    if( isset( $_POST['be_user_star_rating'] ) 
        && $_POST['be_user_star_rating'] > 0
        && $_POST['be_user_star_rating'] <= 5
        && is_numeric($_POST['be_user_star_rating']) ) {

        $val  = (int) $_POST['be_user_star_rating'];
        update_comment_meta( $comment_id, 'be_user_star_rating', esc_attr( $val ) );
    } 
}

Since this is hooked into comment_post, do I have to worry about checking custom nonces - beyond my validation? Or will Worpdress take care of it?

Answers 1

  • A WordPress Nonce, while not a true nonce, functions similarly in that it exists to secure a form or page from unauthorized access and abuse.

    By default, the WordPress Comment Form only displays a nonce field if the current user has the unfiltered_html capability.

    So, if the form is implemented with standard procedures, all you have to do is validate your own input, and you don't have to mess with nonces.

    From comment-template.php:

    /**
     * Display form token for unfiltered comments.
     *
     * Will only display nonce token if the current user has permissions for
     * unfiltered html. Won't display the token for other users.
     *
     * The function was backported to 2.0.10 and was added to versions 2.1.3 and
     * above. Does not exist in versions prior to 2.0.10 in the 2.0 branch and in
     * the 2.1 branch, prior to 2.1.3. Technically added in 2.2.0.
     *
     * Backported to 2.0.10.
     *
     * @since 2.1.3
     */
    

Related Questions