[Resolved] CRED Redirects

[Author]

Posts

[julieP]

If a CRED form redirects a logged in User (on form submission) to a page that uses a Custom Page Template in my theme which executes code, should the URL be nonced?

[Shane Supporter Languages: English (English ) Timezone: America/Jamaica (GMT-05:00)]

Hi Juilie,

Thank you for getting in touch.

I would actually recommend that you do so that the user can't execute malicious code on the page.

However is your code reliant on a URL parameter?

Thanks,
Shane

[julieP]

Hi Shane

Thanks for clarifying (I wasn't sure if CRED itself created a nonce that I could tap into).

Your question is interesting because:-
a nonced link with a parameter for the post ID attached works
a CRED form with a cred redirect & passing the post ID without nonce works (see code A)
a CRED form without passing the post ID but nonced works (see code B)
a CRED form passing the post ID AND nonced doesn't work (see code C)
<u>Code A</u>

add_filter( 'cred_success_redirect', 'custom_redirect_10087', 10, 3);
function custom_redirect_10087( $url, $post_id, $form_data ){
 
    if ($form_data['id']==10087) {
        
        $url .= '?choice=' . $post_id;
        
    }
    return $url;
}

<u>Code B</u>

add_filter( 'cred_success_redirect', 'custom_redirect_10087', 10, 3);
function custom_redirect_10087( $url, $post_id, $form_data ){
 
    if ($form_data['id']==10087) {
        
        $url = wp_nonce_url( $url, 'nonce_name, 'nonce_token' );
        
    }
    return $url;
}

<u>Code C</u>

add_filter( 'cred_success_redirect', 'custom_redirect_10087', 10, 3);
function custom_redirect_10087( $url, $post_id, $form_data ){
 
    if ($form_data['id']==10087) {
        
       $url .= '?choice=' . $post_id;
        
        $url = wp_nonce_url( $url, 'nonce_name', 'nonce_token' );
        
    }
    return $url;
}

Is code C wrong or am I trying to achieve something that's not possible?

[julieP]

I logged out of the forum and realised I needed to be less ambiguous! What I mean by 'doesn't work' is:-

the User is redirected to the page using the Custom Page Template but the nonce value isn't carried with it.

(The nonce verification I've included fails - can't comment on the post ID because that's checked after the nonce check)

Thanks

[Shane Supporter Languages: English (English ) Timezone: America/Jamaica (GMT-05:00)]

Hi Julie,

Thank you for the information.

Based on your scenario you shouldn't need to add a nonce to the URL.

However checking on the codebase for wordpress I can see an example on how to add the nonce to the url without disturbing it.

hidden link

Take a look at the example in the link below as this should allow you to still retain your url parameter.

Thanks,
Shane

[julieP]

Hi Shane

I'm confused about you now think I don't need to nonce the redirect.

I checked out the page at wpseek.com and changed my Code C to this (having changed nonce_token to _wpnonce):-

add_filter( 'cred_success_redirect', 'custom_redirect_10087', 10, 3);
function custom_redirect_10087( $url, $post_id, $form_data ){
  
    if ($form_data['id']==10087) {
         
       $url .= '?choice=' . $post_id;
         
        $url = wp_nonce_url( $url, 'nonce_name', '_wpnonce' );
         
    }
    return $url;
}

I also then changed my nonce check accordingly too but the form redirect still fails nonce verification.

My testing would suggest the issue is with the way CRED is handling the redirect when a param is added AND it's nonced because noncing it without adding a param works (whether I use 'nonce_token' or '_wpnonce').

[Shane Supporter Languages: English (English ) Timezone: America/Jamaica (GMT-05:00)]

Hi Julie,

I believe the issue could be that you are not appending the nonce to the url.

add_filter( 'cred_success_redirect', 'custom_redirect_10087', 10, 3);
function custom_redirect_10087( $url, $post_id, $form_data ){
   
    if ($form_data['id']==10087) {
          
       $url .= '?choice=' . $post_id;
        $url =  esc_html( add_query_arg( $'_wpnonce', wp_create_nonce( -1 ), $url ) );
  }
    return $url;
}

Try this below and let me know if this helps.

Thanks,
Shane

[julieP]

Hi Shane

A couple of things;

Firstly, your line of code is throwing an error. I've removed the $ so it now reads:-

$url =  esc_html( add_query_arg( '_wpnonce',  wp_create_nonce( -1 ),  $url ) );
  }
    return $url;
}

is this right?

Secondly, just so I understand fully what your code is doing, is "wp_create_nonce (-1)" the nonce value?

Thirdly, I believe your solution is designed to use the nonce name created by CRED but I've no idea what that is and I would need to in order to verify it on my Custom Page Template. I've been scouring CRED files for the answer but struggling. Can you clarify please the elements that make up the nonce name so I can verify it correctly.

In case it's relevant I'm not using AJAX for form submissions.

Thanks

[Shane Supporter Languages: English (English ) Timezone: America/Jamaica (GMT-05:00)]

Hi Julie,

The wp_create_nonce() function creates a cryptographic token tied to a specific action, user, user session, and window of time.

https://developer.wordpress.org/reference/functions/wp_create_nonce/

So what it does is generates a session token for the user based on what I see in the documentation. Unfortunately i'm not aware of the nonced name used by cred.

What i've been doing to generate a solution for you is to follow the documentation based on wordpress.

However you should be able to create your own nonce and verify it on the page itself. Based on the wp_create_nonce() function .

Thanks,
Shane

[julieP]

I'm struggling to combine all the required elements! I've re-worked by redirect hook to this but it's not working:-

add_filter( 'cred_success_redirect', 'custom_redirect_10087', 10, 3);
function custom_redirect_10087( $url, $post_id, $form_data ){
 
    //
    if ($form_data['id']==10087) {
        
        $url .= '?choice=' . $post_id;
        $url_nonced = wp_nonce_url( $url, 'nonce_name, '_wpnonce' );
        $url =  esc_html( add_query_arg( '_wpnonce',  wp_create_nonce( -1 ),  $url_nonced ) );
        
    }
    return $url;
}

I don't get how my nonce name gets passed in this code.

If my base URL is hidden link and the post ID is 550 then " $url .= '?choice=' . $post_id;" will change the URL to hidden link.

If I also include "$url = esc_html( add_query_arg( '_wpnonce', wp_create_nonce( -1 ), $url ) );" (and the nonce value it creates is 123456) then the URL becomes hidden link which is what it ought to be but I'm struggling to understand how to incorporate my own nonce name. wp_create_nonce only takes the $action parameter. Since this is a form I've also tried using wp_nonce_field which takes $action and $name which would give "$url = esc_html( add_query_arg( '_wpnonce', wp_nonce_field('form_submit_1, 'nonce_name' ), $url_nonced ) );" but again this isn't working and I'm not even sure I'm using the right field name.

I've spent over 10 hours solidly on this today alone and getting nowhere. I don't feel my request is unreasonable; this is crucial for website security. It's clear I'm not being lazy; I've created code that adds parameter and code that nonces the URL , I'm simply asking how I can nonce a URL AND add a parameter in a CRED redirect hook.

Can you help me please?

[Shane Supporter Languages: English (English ) Timezone: America/Jamaica (GMT-05:00)]

Hi Julie,

I understand the request and based on what you are saying it is adding the Parameter and the Nonce to the URL correct.

The problem now is that you want to create your own nonce.

Have a look at this example on the wordpress documentation about the nonce of the URL and verifying the nonce.
https://developer.wordpress.org/reference/functions/wp_create_nonce/#user-contributed-notes

Based on this you can set your nonce to anything using the wp_create_nonce() function. So you don't need to use the -1 as this is the default value but you can use anything.

I must admit i'm not very familiar with the workings of the wp_create_nonce() or wordpress nonce in general. I'm just working based on the documentation that wordpress provides as well as examples.

Thanks,
Shane

[julieP]

Shane

Thank you for your help so far but I think it would be sensible to pass this ticket on to someone in the team who IS familiar with nonces and who will therefore be able to clarify how to manipulate the CRED hook to the required ends.

Thanks

[Shane Supporter Languages: English (English ) Timezone: America/Jamaica (GMT-05:00)]

Hi Julie,

I checked with the team for anyone who is familiar with this. However it seems their knowledge is limited as well.

You mentioned that you want to know how to incorporate your own nonce name. Is it that you want to add your own custom name to the url that stores the nonce value ?

I doubt we will be much help with this but any clarification will definitely help.

Thanks,
Shane

[julieP]

I've already demonstrated I know how to use my own nonce name right at the beginning of this ticket. I need to achieve this:-

pass the edited post ID via the URL on form submission which is then used in the code on my custom page template BUT I also need to be able to use wp_verify nonce on that template for security. Noncing the url in a cred redirect hook with my own nonce name works, passing the post ID in the redirect hook works but the two together don't.

So, I need to know one of these:-

how to combine the two (using my own nonce)

OR

the values for $action and $name in CRED's own noncing that I can then tap into on my custom page template to verify the nonce and just pass the post ID in the redirect hook. I suspect $action might be something like 'form_submit' and I'm guessing $name would be generated based maybe on the form ID or post ID and might look something like 'cred_submit_10078' but I'm only guessing.

The latter would actually be the preferred solution.

[Shane Supporter Languages: English (English ) Timezone: America/Jamaica (GMT-05:00)]

Hi Julie,

Checking again on your first post I was able to see this code here.

add_filter( 'cred_success_redirect', 'custom_redirect_10087', 10, 3);
function custom_redirect_10087( $url, $post_id, $form_data ){
  
    if ($form_data['id']==10087) {
         
        $url = wp_nonce_url( $url, 'nonce_name, 'nonce_token' );
         
    }
    return $url;
}

As you mentioned this works and your nonce is added to your url.

This would mean that since your nonced url has been created then you only need to add your URL paramter i.e $url .= '?choice=' . $post_id; to the nonced URL.

What you can do is to use the add_query_arg() function to achieve this

So adapted to your case would be

add_filter( 'cred_success_redirect', 'custom_redirect_10087', 10, 3);
function custom_redirect_10087( $url, $post_id, $form_data ){
  
    if ($form_data['id']==10087) {
         
        $url = wp_nonce_url( $url, 'nonce_name', 'nonce_token' );
         $url = esc_html(add_query_arg('choice',$post_id,$url));
    }
    return $url;
}

Please try this and let me know as what the code is doing is take the URL that was already nonced and then adding the choice parameter to the end of that URL.

Based on this principle then this should work by having your parameter and the nonced URL. Since we are not able to tell what CRED is using to create the nonced url.

Thanks,
Shane