Automattic / VIP-Coding-Standards

PHP_CodeSniffer ruleset to enforce WordPress VIP coding standards.
https://wpvip.com/documentation/how-to-install-php-code-sniffer-for-wordpress-com-vip/
Other
236 stars 40 forks source link

False positive: Detected usage of a non-sanitized input variable: $_POST #112

Closed david-binda closed 6 years ago

david-binda commented 6 years ago

wp_verify_nonce should not produce Detected usage of a non-sanitized input variable error.

Eg.: wp_verify_nonce( $_POST['my_modules_nonce'], 'metro_modules' ) is totally valid.

EDIT: should not even produce Detected access of super global var $_POST, probably needs manual inspection.

GaryJones commented 6 years ago

Is this something that would better be addressed upstream in WPCS? Or is it from code in VIPCS?

david-binda commented 6 years ago
$ cat test.php
<?php

wp_verify_nonce( $_POST['my_modules_nonce'], 'metro_modules' );
$ phpcs --standard=WordPressVIPMinimum ./test.php -s

FILE: /home/wpcom/public_html/test.php
--------------------------------------------------------------------------------------------------------------------------------------------------
FOUND 2 ERRORS AND 1 WARNING AFFECTING 1 LINE
--------------------------------------------------------------------------------------------------------------------------------------------------
 3 | WARNING | Detected access of super global var $_POST, probably needs manual inspection. (WordPress.VIP.SuperGlobalInputUsage.AccessDetected)
 3 | ERROR   | Detected usage of a non-validated input variable: $_POST (WordPress.VIP.ValidatedSanitizedInput.InputNotValidated)
 3 | ERROR   | Detected usage of a non-sanitized input variable: $_POST (WordPress.VIP.ValidatedSanitizedInput.InputNotSanitized)
--------------------------------------------------------------------------------------------------------------------------------------------------

Time: 49ms; Memory: 6Mb

Feels like it might be better addressed upstream.

GaryJones commented 6 years ago

Feels like it might be better addressed upstream.

https://github.com/WordPress-Coding-Standards/WordPress-Coding-Standards/issues/1508