Skip Navigation

[Resolved] CRED Redirects

This support ticket is created 4 years, 9 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
- - 14:00 – 20:00 14:00 – 20:00 14:00 – 20:00 14:00 – 20:00 14:00 – 20:00
- - - - - - -

Supporter timezone: Asia/Ho_Chi_Minh (GMT+07:00)

Tagged: 

This topic contains 35 replies, has 4 voices.

Last updated by Beda 4 years, 8 months ago.

Assisted by: Beda.

Author
Posts
#1520579

Thank you for having another look at this. I tried your suggestion revised code but whilst the URL is being nonced the value for the parameter 'choice' isn't available on the destination page.

I still think the better solution is to verify CRED's own nonce so I only need to pass the 'choice' parameter to the URL in the redirect hook. Can you ask the developers what the format is please so I can build my verification? Thanks

#1521769

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Julie,

I took a look at the code that controls the nonce by searching for the wp_create_nonce() function.

What i found in reference to the create/submit. This is what the create nonce is being made from.

'submit' => array(
  270  					'action' => $cred_ajax->get_action_js_name( \CRED_Ajax::CALLBACK_SUBMIT_FORM ),
  271: 					'nonce' => wp_create_nonce( \CRED_Ajax::CALLBACK_SUBMIT_FORM ),
  272  				),

This is found in the /cred-frontend-editor/application/controllers/asset_manager.php: under line 270 - 272.

Its Seems to be created based on the ajax request. Apart from this I doubt i will be able to get any information on this from our development team as this is considored as custom code.

Thanks,
Shane

#1524883

I'm asking how to achieve something within a CRED hook; I fail to see how that can be considered custom code

#1525335

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Julie,

The reason is creating a nonced URL is considered as custom code even if you're using our CRED hooks to achieve it.

The most I can really do is to point you in the right direction.

However not sure the information that was provided before would give you a good idea what is used, however the devs seem to be hooking into an AJAX request.

Thanks,
Shane

#1528769

I'm trying to avoid creating a nonced URL so I'm not asking for custom code. I'm asking what elements make up the nonce name; this is specific to CRED nothing else so not custom code!

#1529265

Hi, Shane is out today for a national holiday and will return tomorrow to continue assisting you.

#1530629

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Julie,

This is what I found that the developers are using to create the nonce in the url.

'submit' => array(
                 'action' => $cred_ajax->get_action_js_name( \CRED_Ajax::CALLBACK_SUBMIT_FORM ),
                 'nonce' => wp_create_nonce( \CRED_Ajax::CALLBACK_SUBMIT_FORM ),
),

This is found in the /cred-frontend-editor/application/controllers/asset_manager.php: under line 270 - 272.

Apart from this I see no other reference to the form submit for the nonce. Looking at this it doesn't seems to be a clear cut situation where the nonce is created by X. From what I see they are hooking into the AJAX submit to generate the nonce.

Thanks,
Shane

#1535175

I think the developers need to be asked to provide the info required please.

#1535659

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Julie,

I've sough the assistance from our team hopefully I can get a favourable response that can assist you but I can't make any promises.

Thanks,
Shane

#1537417

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Julie,

I've gotten a response from our team. As mentioned previously this would come under custom coding which as you know would be out of our support scope.

In my initial response I said I would recommend adding a Nonce to the URL however it is not something that is Needed. This is because CRED would already protect the form submit with its own internal security so users wouldn't be able to Hijack the POST request to insert malicious queries in your URL.

Right now we are unable to provide a clear action in what the CRED nonce is created from. As provided in my checks of the code, they seem to be generating it from an AJAX request when the form is submitted.

So apart from this i'm not able to provide any more information about the Nonce that CRED creates as this would fall outside of what we can do as support.

I hope you understand what i'm trying to explain here.

Thanks,
Shane

#1538865

Shane
Supporter

Languages: English (English )

Timezone: America/Jamaica (GMT-05:00)

Hi Julie,

I've re-assigned this ticket to our 2nd tier support for further follow ups on this issue.

#1540149

Hi, Julie, this is Beda

I've been helping Shane in the second tier to solve this, now I prefer to reply here directly

1. Toolset forms is a safe plugin, made for users without coding knowledge to submit (safely) and form of content
You don't need to revalidate anything. Can you explain why you want to compare nonces in a form submit success message or redirect?
2. The "number" in a redirect (in the ?_tt parameter) is not a nonce. It's a timestamp. It's not for validation.
3. Here you mention it all "works" (I am not sure what "works" or "does not work" means in this context), unless the version C? That is clearly a code mistake, you concatenate .= and then reassign with =
This likely is throwing fatal errors on your system because the first variable to push to is not even defined

All in all, I am not sure why you want a nonce to be passed in a URL redirect
Once that is clear, we have to (probably) pass on this because it is custom code, nonces are not made by Forms, but by WordPress.
The Forms API used here is merely for redirects, no validation - and the code inside such a hook is always subject to custom code.

If you want to alter the ?:_tt value or use it you can use the cred_form_action_uri_querystring_array hook https://toolset.com/documentation/programmer-reference/cred-api/#cred_form_action_uri_querystring_array

Please let me know how else I can help with this.

#1540435

Hi Beda

many thanks for your assistance with this.

I think everything is clear if we go right back to the question I asked at the beginning of this ticket. The advice I'm given on this keeps switching so I'm totally confused now.

Just to re-cap:-

I want to redirect the user on form submission to a page that uses a Custom Page Template in my theme (set in the Page Attributes box). The Custom Page Template doesn't display anything to the User, but it does execute code before redirecting the User again to the final page/destination.

The post id (that the form edits) needs to be passed as a URL parameter to be used in the Custom Page Template.

If the URL in the cred redirect needs to be nonced in the above scenario, then I need to be able to verify it in my Custom Page Template.

So, are you saying the cred redirect url doesn't need to be nonced in my scenario?

And if so, what is the difference between using the cred_form_action_uri_querystring_array filter and my example Code A (https://toolset.com/forums/topic/cred-redirects/#post-1513229)?

Thanks

#1540717

OK, thank you for clarifying.

1. The initial question was "If a CRED form redirects a logged in User (on form submission) to a page that uses a Custom Page Template in my theme which executes code, should the URL be nonced?"

The answer is no, I would not know why you would want to wp_nonce_url this Form Success Redirect.
Of course, if you pass some Query args when you submit that form and on the targe page you have custom code listening to those args and that can, in fact, execute something, it is up to you to make sure, the URL param requests are sanitized, controlled and safe.
They should be if your custom code is. The receiver (your custom code) should make sure the parameters passed, if any, can only do something if (for example) the user submitting them is logged in, or has specific rights, and that stuff gets sanitized, if there is potential to pass some malicious code to the URL for example, and this (thru your code) would somehow talk to the database.

But all of this would be the precise same question to resolve with or without Toolset Forms.
It will solely depend on what your code does, and what you expect to be passed to it how. But it does not depend on toolset forms, as you could perfectly fine pass URL arguments to that code sitting on your success page by any other URL directing to that page.
Only if it is a success message, the target is created as well by Forms, and then, you cannot add any custom code anyway, because that success message is not a page or template that executes code.

Again if you here somehow manage to have code in any of the success targets or even the post created, that listens to some (custom) URL params, then it is not depending on Toolset Forms to validate and make that code safe.

This is what Shane means with "This would be custom code". We could not help with this as not related to Toolset Forms, generally.
Yes, forms is used to bring the information, but that is not the issue since the information can be brought to your code by any means possible.

2. The post id (that the form edits) needs to be passed as a URL parameter to be used in the Custom Page Template.

OK, you can do that, you just add any URL parameter in the redirect snippet, for example.
For example:
https://toolset.com/documentation/programmer-reference/cred-api/#cred_success_redirect

add_filter('cred_success_redirect', 'custom_redirect',10,3);
function custom_redirect($url, $post_id, $form_data)
{
    $url = '<em><u>hidden link</u></em>'.$post_id;
    return $url;
}

What the code that sits on the target does with the value of url_param, is up to you as the Webmaster who creates that code, Toolset Forms cannot help validating that code or it's input. This needs to be done in the target code, logically.
If you like to pass a nonce to the URL you can do so, but it is not Forms generating or handling this, it is WordPress and your custom code that must match the nonce.

3. Some of the code shared in the examples here https://toolset.com/forums/topic/cred-redirects/#post-1513229 is faulty and throws fatal errors, due to a wrong syntax (at least in example B), and example C to do just what you want, I see however it Encodes the "&" sign

B, if corrected, will give you ?nonce_token=f02614c307&cred_referrer_form_id=20
C, if used, will give you ?choice=27&nonce_token=f02614c307&cred_referrer_form_id=20

I am not sure what "not working" refers to in this case, if you mean the encoded & (&), this should not be an issue, because the URL parameter is still produced fine:
The nonce_token is added fine, as seen in the URL
You still should be able to read it from that URL in your custom code.
This is, in any case, an issue of wp_nonce, see here:
https://developer.wordpress.org/reference/functions/wp_nonce_url/
> Note that wp_nonce_url escapes & to & and may cause links or redirects to become incorrect.

What is the precise problem with the custom code in related to Toolset? It seems to me it works just as expected.
If not, please can you specify what "does not work" means in this case?

4. So, are you saying the cred redirect url doesn't need to be nonced in my scenario?

As mentioned - we cannot answer this consistently for all cases.

It fully depends on what your custom code does and how unsafe it can be if unexpected input is added to the URL as params
The Forms will not be able to be responsible for this, and it is correct that if you need to make sure only specific referrers can add specific URL params, you need to use Custom Code, to validate this.

5. And if so, what is the difference between using the cred_form_action_uri_querystring_array filter and my example Code A (https://toolset.com/forums/topic/cred-redirects/#post-1513229)?

Your code fires on success redirect, the cred_form_action_uri_querystring_array fires when the form is loaded but also when it is submitted, and it doesn't let you change the URL but the URL parameters.

I see no problems with the code version C in your example, please can you elaborate what the precise issue is that you face with that code as due to Toolset?
Meaning, it would "not happen" if not using Toolset? The URL Encoding is not due to Toolset, you can see the precise same results if inserting this to any page or another type of form not using Toolset at all

Thanks for your patience!

#1540863

Hi Beda

Thank you for taking the time to provide this response. Can I say I'm not expecting Toolset Forms to validate the code on my custom page template. Noncing the redirect URL seemed to me to be an ideal way of checking for the User.

I'm not getting any fatal errors when using Code A, B or C. I can see I've missed off an apostrophe in Code B but that's a bit of a red herring because it's Code C that's the important one since I'm trying to combine noncing with passing a parameter. The reason I'm saying Code C doesn't work is because the User is redirected to the page using the Custom Page Template but the nonce value isn't carried with it (as explained here https://toolset.com/forums/topic/cred-redirects/#post-1513293) and I know this because the nonce verification fails (this doesn't fail if I remove $url .= '?choice=' . $post_id; from Code C).

I hope that makes sense?