Nonce in settings API with tabbed navigation

The API handles the nonce for the form part because you’re using the settings_fields call, which outputs the *-options nonce, and you’re passing the data to the options.php file for saving, which checks that nonce for you before saving the settings. This part the Settings API does indeed do for you.

However, your tab code is not in that form. It’s just links. The links have no nonces on them, and the code you have to use the data from the GET parts don’t do any nonce checking.

Now, technically this is okay as long as you’re not saving any data here. The purpose of a nonce is to verify intent when submitting data, and if you’re not submitting any data that gets saved or used in any real way, then you don’t need to verify that intent. The only thing your tab selection does here is to change what fields are displayed on the page.

You might want to consider eliminating the tabs entirely and displaying the whole form, with all settings, on the same page. If you want organization in tabbed form, you’d be better off with javascript or CSS to decorate the page. Also consider accessibility, in that having the form as-a-whole might be better for users who want to make all the changes at once rather than have to configure things on multiple pages or navigate to them with links at the top of the page.

Related Posts:

  1. Nonces can be reused multiple times? Bug / Security issue?
  2. Confusion on WP Nonce usage in my Plugin
  3. Correct way check nonce (security) using old Options API
  4. wp_nonce_field displaying twice
  5. Settings API with arrays example
  6. How to store username and password to API in wordpress option DB?
  7. “Error: Options Page Not Found” on Settings Page Submission for an OOP Plugin
  8. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  9. Is get_option function cached?
  10. What are the advantages to the Settings API?
  11. Accessing plugin settings in gutenberg
  12. Can someone explain what wp_session_tokens are, and what are they used for?
  13. WordPress and PHP Sessions – Security and Performance
  14. What is the difference between esc_html and wp_filter_nohtml_kses?
  15. Which to use to execute code during the saving of a plugin settings page?
  16. Log in from one wordpress website to another wordpress website
  17. WordPress REST API call generates nonce twice on every call
  18. Escaping built-in WP function return strings
  19. How to use the settings API to set multidimensional arrays
  20. What is the difference between strip_tags and wp_filter_nohtml_kses?
  21. WP Cron doesn’t save or in post body
  22. Why won’t register_setting() create a setting?
  23. Why isn’t the Settings API designed to work for plugins using custom admin menus? [duplicate]
  24. WordPress restrict plugin file direct access
  25. What is the use of get_option method
  26. Extend plugin options page
  27. WordPress password reset – why post rp_key?
  28. Are we allowed to use the Allman (BSD) indent style when coding WordPress plugins and themes?
  29. Generating User(s) with Settings API
  30. Callback function is being called twice
  31. Tabbed navigation for plugin options using same row in database for all?
  32. GET parameters interfere with my plugin settings
  33. Is there any way to check for user login and send him to login?
  34. WordPress security issue to output data from user input from theme option form
  35. How to add settings subpage from a plugin to a settings page created in theme?
  36. WordPress setting with select – where is my mistake?
  37. null callback in add_settings_section
  38. WordPress mode for emacs?
  39. Single sanitization callback for multiple fields
  40. Callback is not called in add_settings_field() when passed as part of an array, but recognises that it’s there. It’s passed Class to Class using OOP
  41. Custom delete option button in plugin settings
  42. When to use add_settings_section vs just register_setting?
  43. Adding settings link to plugin doesn’t work
  44. How to fix Uninitialized string offset: error on a checkbox in WP Settings API
  45. wp_create_nonce function doesn’t work inside a plugin?
  46. Secure Pages Best Practice
  47. Securing/Escaping Output of file content – reading via fread() in PHP
  48. Prefixing plugin hooks (actions/filters) with a wrapper class or functions
  49. Updating Woocommerce Settings API when WordPress Settings API saved and vise versa
  50. The plugin does not save data
  51. Custom login doesn’t work properly
  52. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  53. Video Security just like facebook [closed]
  54. Settings API with arrays example
  55. Prevent invalid or empty values from being saved to the database and retain the form field values upon error
  56. Allow users to add / remove settings in plugin
  57. Update problem with update_option() in combination with register_setting()
  58. Is disabling test_form in wp_handle_upload a security concern?
  59. How to connect my wordpress plugin to a remote database securely?
  60. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  61. Default settings aren’t used
  62. add_submenu_page hooked function must explicitly check user capabilities – why?
  63. WordPress theme options Menu
  64. Category select options for plugin settings
  65. Issue on Checkbox with Custom Option Page
  66. Settings API: Setting default option via ‘get_option’ fails
  67. How to use nonce
  68. Where to use nonce
  69. Is it possible to use WP-CLI in a plugin (or theme)?
  70. Secruity Questions on a timer
  71. settings api – add_settings_section not working
  72. Using HTML links within translatable string
  73. Multiple page plugin settings
  74. How can I save a password securely as a settings field
  75. Update plugin settings option_name for big plugin update
  76. Using password protection to load different page elements?
  77. It is possible to pass $args that sent by add_settings_field() inside another function?
  78. WP_List_Table Inside Metabox With Bulk Actions Not Working on Submit
  79. Settings API not saving
  80. How do I make secure API calls from my WordPress plugin?
  81. esc_attr() on hard coded string
  82. Hide / show settings field based on other field’s value
  83. Integrating colorpicker into array field
  84. add_settings_error on validating plugin options API
  85. Experts opinions needed: How (in)secure is this approach?
  86. add_option_{$option} action hook not being called
  87. Plugin options page: grouping checkboxes
  88. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  89. From my Plugin Settings Page use check boxes to load specific css files (e.g. Bootstrap / Foundation)
  90. When using an options array the Settings API isn’t creating the database record
  91. How do I build a settings panel under the plugin
  92. Plugin settings checkbox
  93. Add_menu_page and saving settings
  94. Updating Style From WP Options Setting Page
  95. Combo/Drop down box on plugin settings page that allows additional options to be added
  96. How to delete all the options in an option group
  97. WordPress Plugin default option
  98. How to use register_setting()
  99. esc_url, esc_url_raw or sanitize_url?
  100. Saving metabox updates causing fatal error

Leave a Comment