Valid code:
function verify()
{
if (empty($_REQUEST['g-recaptcha-response'])) {
return false;
}
}
Result:
| 74 | 15 | WARNING | WordPress.Security.NonceVerification.Missing | Processing form data without nonce verification. | |
This should not be an warning as I am not doing anything with the value, just checking if it exists.
Multiple errors:
function verifyNonce($key, $action = -1)
{
if(empty($_POST[$key])){
return false;
}
return wp_verify_nonce(sanitize_text_field(wp_unslash($_POST[$key])), $action);
}
if(!verifyNonce('nonce', 'tsjippy-plugin-actions')){
?>
<div class='error'>
Invalid nonce
</div>
<?php
return;
}
if (!empty($_GET['activate'])) {
$key = 'activate';
} else {
$key = 'install';
}
$slug = sanitize_text_field(wp_unslash($_GET[$key] ?? ''));
if (!empty($_GET['install'])) {
updateOrDownloadPlugin($slug);
}
Result:
99 | 20 | WARNING | WordPress.Security.NonceVerification.Recommended | Processing form data without nonce verification.
105 | 50 | WARNING | WordPress.Security.NonceVerification.Recommended | Processing form data without nonce verification.
107 | 20 | WARNING | WordPress.Security.NonceVerification.Recommended | Processing form data without nonce verification.
I have a custom nonce verifying function, it would be great if that could be recognised.
Code:
($_GET['update'] ?? '') == $slug
Result:
589 | 18 | WARNING | WordPress.Security.NonceVerification.Recommended | Processing form data without nonce verification.
589 | 18 | WARNING | WordPress.Security.ValidatedSanitizedInput.MissingUnslash | $_GET['update'] not unslashed before sanitization. Use wp_unslash() or similar
589 | 18 | WARNING | WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | Detected usage of a non-sanitized input variable: $_GET['update']
I am hard comparing this value against another value, I don't think sanitizing is needed right?
Code:
foreach (glob( "{".__DIR__ .",".__DIR__ . "/php,".__DIR__ . "/extra/*/php}/*.php", GLOB_BRACE) as $file) {
require_once($file);
}
unset($file);
Error:
16 | 103 | WARNING | WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$file".
This temp variable is later on unset so no warning needed
Valid code:
Result:
| 74 | 15 | WARNING | WordPress.Security.NonceVerification.Missing | Processing form data without nonce verification. | |
This should not be an warning as I am not doing anything with the value, just checking if it exists.
Multiple errors:
Result:
I have a custom nonce verifying function, it would be great if that could be recognised.
Code:
($_GET['update'] ?? '') == $slugResult:
I am hard comparing this value against another value, I don't think sanitizing is needed right?
Code:
Error:
16 | 103 | WARNING | WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$file".This temp variable is later on unset so no warning needed