search

WordPress / plugin-check

A repository for the new Plugin Check plugin from the WordPress Performance and Plugins Team.
https://wordpress.org/plugins/plugin-check/
GNU General Public License v2.0
234 stars 43 forks source link

Getting nonce verification needed for every instance of a $_GET or $_REQUEST var #549

Open davidperezgar opened 1 month ago

davidperezgar commented 1 month ago

I am getting a “nonce verification needed” warning for every instance of a $_GET or $_REQUEST variable in a conditional when there is no form submission, ajax query or other type of transmission happening. These are not hard to ignore, though a bit annoying. This is also troublesome because I am editing a plugin that was flagged as not secure by the repository review team and I need to clear all errors and warnings using this plugin. If I am wrong on thinking that nonces are not required just because a $_GET or $_REQUEST is used in the code, please let me know. I could be wrong on that point.

https://wordpress.org/support/topic/getting-nonce-verification-needed-for-every-instance-of-a-_get-or-_request-var/#post-17911660

swissspidy commented 1 month ago

That's how the PHPCS sniff works 🤷

See https://github.com/WordPress/WordPress-Coding-Standards/wiki/Fixing-errors-for-input-data#nonces and https://github.com/WordPress/WordPress-Coding-Standards/wiki/Sanitizing-array-input-data

If they think there are false positives, they can be reported to WPCS.

davidperezgar commented 1 month ago

Let's check and report if they are false positives.