WordPress-Coding-Standards icon indicating copy to clipboard operation
WordPress-Coding-Standards copied to clipboard

Published 20 hours ago verified publisher icon WordPress

NonceVerification: ignore unsetting of superglobal values

Open jrfnl opened this issue 3 years ago • 1 comments

Bug Description

When all that's done with a superglobal value is to unset it, no nonceverification should be necessary.

Currently, the sniff will throw a warning for this:

 148 | WARNING | Processing form data without nonce verification.

Minimal Code Snippet

// OK.
unset( $_GET['meta-box-loader'] );

// Not okay.
do_something_with( $_GET['meta-box-loader'] );

For bugs with fixers: How was the code fixed? How did you expect the code to be fixed?

Error Code

WordPress.Security.NonceVerification.Recommended

Environment

Question Answer
PHP version any
PHP_CodeSniffer version master
WPCS version develop
WPCS install type N/A
IDE (if relevant) N/A

Additional Context (optional)

Might be a good idea to check in with the security team to confirm whether they agree with the above.

Tested Against develop branch?

  • [x] I have verified the issue still exists in the develop branch of WPCS.

jrfnl avatar Mar 23 '21 06:03 jrfnl

Loosely related to #1902 (and #187)

jrfnl avatar Mar 23 '21 06:03 jrfnl

FWIW I fully agree with this - Unsetting is not processing, and warning for lack of nonces when it's not processing it is just extra noise.

dd32 avatar Jul 07 '23 03:07 dd32