#8066 closed enhancement (invalid)
Always sanitize the first parameter of wp_verify_nonce
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Component: | General | Keywords: | |
| Cc: |
Description
We ask developers to sanitize and unslash the first parameter of wp_verify_nonce.
Wouldn't it be easier if that piece of repetitive code were not necessary? In the Plugins Team, we often detect that developers forget to do this.
I’m also thinking about the wider community. Many developers may be using wp_verify_nonce incorrectly, without sanitizing it. By handling this automatically, we could prevent security leaks and encourage cleaner code.
This is the correct way to use it right now:
<?php wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['plugin_slug_nonce_field'] ) ), 'plugin_slug_action_nonce' ) )
And this is the ideal way, with sanitization handled inside the function:
<?php wp_verify_nonce( $_POST['plugin_slug_nonce_field'], 'plugin_slug_action_nonce' ) )
Does this make it cleaner and more straightforward?
Change History (4)
This ticket was mentioned in Slack in #core by davidperez. View the logs.
6 months ago
#3
@
6 months ago
- Resolution set to wontfix
- Status changed from new to closed
Thanks. I've moved to:
https://core.trac.wordpress.org/ticket/63866#ticket
Hey @davidperez, I think this should be under core trac since it's on the pluggable in WP Core, not meta..