How to stop _wpnonce and _wp_http_referer from appearing in URL

1 comment

1. This issue arrises because of a couple of problems:

   1) WP_List_Table::search_box() inserts the default _wpnonce and _wp_http_referer fields by using wp_nonce_field() without giving you the ability to override and say “I’ve already go a nonce field thanks”.

   2) You need to use GET as your method of form submission when subclassing WP_List_Table because WP_List_Table::print_column_headers() only checks $_GET for the current orderby and order parameters and uses $_SERVER['REQUEST_URI'] for constructing its header links. If you don’t use GET as the form method you’ll loose the search parameter when sorting a column.

   There are a couple of ways to stop the Request-URI Too Large The requested URL's length exceeds the capacity limit for this server error:

   A) Because all the nonce checking functions are able to use either a _wp_http_referer request field or fallback to the appropriate header for the referrer you can remove the _wp_http_referer query arg early on in the processing.

   Therefore a simple way to resolve this issue is by adding the following very early on in the prepare_items() function of your WP_List_Table subclass.

   $_SERVER['REQUEST_URI'] = remove_query_arg( '_wp_http_referer', $_SERVER['REQUEST_URI'] );
   

   B) The arguably better and more secure way would be to switch to the POST form submission method and update $_SERVER['REQUEST_URI'] in prepare_items() with all the parameters you care about once you’ve compiled them so that WP_List_Table::print_column_headers() functions as expected.

   $options = array(
       'blog_id'     => $blog_id,
       's'           => $search,
       'record_type' => $record_type,
       'orderby'     => $orderby,
       'order'       => $order,
   );
   
   // Update the current URI with the new options.
   $_SERVER['REQUEST_URI'] = add_query_arg( $options, $_SERVER['REQUEST_URI'] );
   

   Log in to Reply