security - PHP Code Sniffer - WordPress VIP Coding Standards

admin管理员组

文章数量:1122846

I'm trying to fix up my code to meet the WordPress VIP Coding Standards. I'm getting a couple of issues that I'd like to see go away, but i'm not sure what the best strategy is.

The first issue is when i'm verifying a nonce while saving metabox data:

$nonce = isset( $_POST['revv_meta_box_nonce'] ) ? $_POST['revv_meta_box_nonce'] : '';

The error i'm getting here is 'Processing data without nonce verification'. Which is pretty silly since i'm just storing the nonce in a variable, which I am then verifying on the next line.

The second issue is when i'm storing the data:

$foo = isset($_POST['foo']) ? sanitize_text_field( $_POST['foo'] ) : '';
update_post_meta( $post_id, '_foo', $foo );

On the first line there, the sniffer is complaining that i'm not running wp_unslash on the data before sanitizing it. But the data is going directly into update_post_meta on the next line, which expects that data to not be unslashed.

Any ideas on the best strategy for getting rid of these error messages? Thanks!

I'm trying to fix up my code to meet the WordPress VIP Coding Standards. I'm getting a couple of issues that I'd like to see go away, but i'm not sure what the best strategy is.

The first issue is when i'm verifying a nonce while saving metabox data:

$nonce = isset( $_POST['revv_meta_box_nonce'] ) ? $_POST['revv_meta_box_nonce'] : '';

The error i'm getting here is 'Processing data without nonce verification'. Which is pretty silly since i'm just storing the nonce in a variable, which I am then verifying on the next line.

The second issue is when i'm storing the data:

$foo = isset($_POST['foo']) ? sanitize_text_field( $_POST['foo'] ) : '';
update_post_meta( $post_id, '_foo', $foo );

On the first line there, the sniffer is complaining that i'm not running wp_unslash on the data before sanitizing it. But the data is going directly into update_post_meta on the next line, which expects that data to not be unslashed.

Any ideas on the best strategy for getting rid of these error messages? Thanks!

• security
• coding-standards

Share Improve this question asked Jan 16, 2016 at 12:22 dabernathy89dabernathy89 2133 bronze badges 3

• since metabox doesn't usually need to have a nounce, I would say that the requirement is idiotic (but that is what the codex show :( ), so your problem is with the VIP people and you should ask them, this is off-topic for this site. – Mark Kaplun Commented Jan 16, 2016 at 12:40
• Agreed, can't see an issue with the first snippet. Second one, you do need to unslash (WordPress enforces magic quotes, bizarrely), and the *_post_meta functions do not expect the data slashed (it will be escaped at point of db insertion). – TheDeadMedic Commented Jan 17, 2016 at 19:09
• @TheDeadMedic thanks, looks like I misread the docs on that one. – dabernathy89 Commented Jan 24, 2016 at 20:38

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

You can use filter_input to sanitize your $_POST array.

$nonce = filter_input( INPUT_POST, 'revv_meta_box_nonce', FILTER_SANITIZE_STRING )

use empty() to check $nonce has a value or not.

You can use the same for second issue

$foo = filter_input( INPUT_POST, 'foo', FILTER_SANITIZE_STRING )

change 3rd parameter based on your expected data in $_POST['foo']. check this doc for available filters.

本文标签： securityPHP Code SnifferWordPress VIP Coding Standards