From 0f089b9c4782c4eb54282d4cbb55687d746248eb Mon Sep 17 00:00:00 2001
From: Ryan Boren <ryan@git.wordpress.org>
Date: Fri, 3 Jun 2011 18:23:41 +0000
Subject: [PATCH] Properly return referrer when referer = true and echo =
 false. Props scribu, webduo. fixes #11953

git-svn-id: https://develop.svn.wordpress.org/trunk@18130 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/functions.php | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index 6c69627f65..92fb422d72 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -1954,11 +1954,6 @@ function wp_nonce_url( $actionurl, $action = -1 ) {
  * offer absolute protection, but should protect against most cases. It is very
  * important to use nonce field in forms.
  *
- * If you set $echo to true and set $referer to true, then you will need to
- * retrieve the {@link wp_referer_field() wp referer field}. If you have the
- * $referer set to true and are echoing the nonce field, it will also echo the
- * referer field.
- *
  * The $action and $name are optional, but if you want to have better security,
  * it is strongly suggested to set those two parameters. It is easier to just
  * call the function without any parameters, because validation of the nonce
@@ -1982,11 +1977,12 @@ function wp_nonce_url( $actionurl, $action = -1 ) {
 function wp_nonce_field( $action = -1, $name = "_wpnonce", $referer = true , $echo = true ) {
 	$name = esc_attr( $name );
 	$nonce_field = '<input type="hidden" id="' . $name . '" name="' . $name . '" value="' . wp_create_nonce( $action ) . '" />';
-	if ( $echo )
-		echo $nonce_field;
 
 	if ( $referer )
-		wp_referer_field( $echo );
+		$nonce_field .= wp_referer_field( false );
+
+	if ( $echo )
+		echo $nonce_field;
 
 	return $nonce_field;
 }