WordPress
WordPress.Security.NonceVerification.Missing not reported when using filter_input
Bug Description
When using filter_input with INPUT_GET or INPUT_POST or INPUT_COOKIE, it's like accessing the $_GET/$_POST superglobals. Therefore a nonce validation is required.
Minimal Code Snippet
The issue happens when running this command:
./bin/phpcs --config-set installed_paths ../wpcs
... over a file containing this code:
// should report an error
$foo = filter_input( INPUT_POST, 'email', FILTER_SANITIZE_EMAIL );
update_option( 'abc', $foo, false );
// correctly reports an error:
$foo = $_POST['email'];
update_option( 'def', $foo, false );
Error Code
WordPress.Security.NonceVerification.Missing
Environment
| Question | Answer |
|---|---|
| PHP version | 7.4 |
| PHP_CodeSniffer version | 3.7.2 |
| WPCS version | 2.3.0 |
| WPCS install type | https://github.com/WordPress/WordPress-Coding-Standards#standalone |
Tested Against develop branch?
- [ ] I have verified the issue still exists in the
developbranch of WPCS.
Just saw that this was requested by @GaryJones when this rule was added initially: https://github.com/WordPress/WordPress-Coding-Standards/pull/325#issuecomment-77323314
While back then someone said that filter_input was discouraged, using filter_input is actually the safer method, compared to (some) WP sanitizing functions, since the INPUT_ is out of scope of userland (e.g. $_POST['foo'] might have been modified somewhere/by any plugin already, while INPUT_POST, 'foo' is guaranteed to be unmodified) and some sanitizers are more secure than what WP can provide (e.g. for host names)
@johnstonphilip Please don't spam issues with "+1"'s which don't contribute anything useful to the discussion. You can use the emoji response on the first post for that.
I didn't intend to spam. My apologies. I'm just wanting to note that this is a very important issue to me. Thanks, and my apologies again!
