You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the WordPress.Security.NonceVerification.Missing is disabled with a comment that it rarely works properly.
My guess is the source of this comment is related to pages that use a custom query string parameter such as /wp-admin/admin.php?page=my-plugin&my-plugin-tab=sub-page or similar on the front-end.
My view is that this treats the perfect as the enemy of the good by allowing potential security flaws in to our code bases to avoid disabling the sniff on an as needs basis.
I suggest two changes to the coding sniffs:
enable the sniff
add wp_verify_nonce as a sanitized & unslashed. The function uses the input to make comparisons rather than for outputs or database storage
In terms of documented coding standards, for functions in which the nonce is not needed there should be two requirements
A detailed comment stating why the sniff is not needed
//phpcs:disable WordPress.Security.NonceVerification.Missing be added above the processing of form data
//phpcs:enable following the processing of form data (the sniff doesn't need to be specified & I've experienced bugs when it is in older versions of phpcs).
Steps to Reproduce
N/A
Screenshots, screen recording, code snippet
For functions that do require a nonce, this is simplest form of code I've found for ensuring there are no false negatives in the coding standards reports:
// Check nonce for cross site scripting protection.if ( empty( $_POST['_nonce'] ) ) {
return;
}
// Check if nonce is valid.if ( ! wp_verify_nonce( $_POST['_nonce'], 'my-plugin-action-name' ) ) {
return;
}
// Followed by usual capability checks, etc.
Environment information
No response
WordPress information
No response
Code of Conduct
I agree to follow this project's Code of Conduct
The text was updated successfully, but these errors were encountered:
I agree that we should enable this by default. I understand why it's currently disabled but I agree with Peter's take here that by globally disabling this, we risk security issues creeping in.
What we've started doing on OSS projects is we ignore this sniff on a line by line basis if it isn't needed and we add a comment detailing why we are ignoring it (for example, verification is happening elsewhere so doesn't need to happen here). This makes it clear to any future developers why we are ignoring that rule.
Describe the bug
Currently the
WordPress.Security.NonceVerification.Missing
is disabled with a comment that it rarely works properly.My guess is the source of this comment is related to pages that use a custom query string parameter such as
/wp-admin/admin.php?page=my-plugin&my-plugin-tab=sub-page
or similar on the front-end.phpcs-composer/10up-Default/ruleset.xml
Lines 67 to 68 in 5f9ac99
My view is that this treats the perfect as the enemy of the good by allowing potential security flaws in to our code bases to avoid disabling the sniff on an as needs basis.
I suggest two changes to the coding sniffs:
wp_verify_nonce
as a sanitized & unslashed. The function uses the input to make comparisons rather than for outputs or database storageIn terms of documented coding standards, for functions in which the nonce is not needed there should be two requirements
//phpcs:disable WordPress.Security.NonceVerification.Missing
be added above the processing of form data//phpcs:enable
following the processing of form data (the sniff doesn't need to be specified & I've experienced bugs when it is in older versions of phpcs).Steps to Reproduce
N/A
Screenshots, screen recording, code snippet
For functions that do require a nonce, this is simplest form of code I've found for ensuring there are no false negatives in the coding standards reports:
Environment information
No response
WordPress information
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: