Open
Description
openedon Jul 10, 2023
Bug Description
When using filter_input with INPUT_GET or INPUT_POST or INPUT_COOKIE, it's like accessing the $_GET/$_POST superglobals.
Therefore a nonce validation is required.
Minimal Code Snippet
The issue happens when running this command:
./bin/phpcs --config-set installed_paths ../wpcs
... over a file containing this code:
// should report an error
$foo = filter_input( INPUT_POST, 'email', FILTER_SANITIZE_EMAIL );
update_option( 'abc', $foo, false );
// correctly reports an error:
$foo = $_POST['email'];
update_option( 'def', $foo, false );
Error Code
WordPress.Security.NonceVerification.Missing
Environment
Question | Answer |
---|---|
PHP version | 7.4 |
PHP_CodeSniffer version | 3.7.2 |
WPCS version | 2.3.0 |
WPCS install type | https://github.com/WordPress/WordPress-Coding-Standards#standalone |
Tested Against develop
branch?
- I have verified the issue still exists in the
develop
branch of WPCS.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment