PHP-codesniffer says: use a nonce on the tabbed settings.

Question

PHP-codesniffer says: use a nonce on the tabbed settings.

seezee opened this issue 5 years ago · 2 comments

PHPCS throws this warning when run against includes/class-my-plugin-settings.php: WARNING | Processing form data without nonce verification. I've included all of the errors for thoroughness but most of them are easy fixes. The nonce error I have no idea how to fix, or even if it should be fixed.

The affected lines are 251, 252, 254, 255, 317, 318, & 331.

--------------------------------------------------------------------------------------
FOUND 9 ERRORS AND 15 WARNINGS AFFECTING 17 LINES
--------------------------------------------------------------------------------------
  15 | WARNING | Property name "$_instance" should not be prefixed with an underscore
	 |         | to indicate visibility
  91 | WARNING | In footer ($in_footer) is not set explicitly wp_register_script; It
	 |         | is recommended to load scripts in the footer. Please set this value
	 |         | to `true` to load it in the footer, or explicitly `false` if it
	 |         | should be loaded in the header.
 251 | ERROR   | Processing form data without nonce verification.
 251 | ERROR   | Processing form data without nonce verification.
 252 | ERROR   | Processing form data without nonce verification.
 254 | WARNING | Processing form data without nonce verification.
 254 | WARNING | Processing form data without nonce verification.
 255 | WARNING | Processing form data without nonce verification.
 261 | WARNING | Found: !=. Use strict comparisons (=== or !==).
 303 | ERROR   | All output should be run through an escaping function (see the
	 |         | Security sections in the WordPress Developer Handbooks), found
	 |         | '$html'.
 317 | WARNING | Processing form data without nonce verification.
 317 | WARNING | Processing form data without nonce verification.
 318 | WARNING | Processing form data without nonce verification.
 331 | WARNING | Processing form data without nonce verification.
 332 | WARNING | Found: ==. Use strict comparisons (=== or !==).
 336 | WARNING | Processing form data without nonce verification.
 336 | WARNING | Found: ==. Use strict comparisons (=== or !==).
 336 | WARNING | Processing form data without nonce verification.
 343 | WARNING | Processing form data without nonce verification.
 371 | ERROR   | All output should be run through an escaping function (see the
	 |         | Security sections in the WordPress Developer Handbooks), found
	 |         | '$html'.
 397 | ERROR   | All output should be run through an escaping function (see the
	 |         | Security sections in the WordPress Developer Handbooks), found '__'.
 397 | ERROR   | All output should be run through an escaping function (see the
	 |         | Security sections in the WordPress Developer Handbooks), found
	 |         | '$this'.
 406 | ERROR   | All output should be run through an escaping function (see the
	 |         | Security sections in the WordPress Developer Handbooks), found '__'.
 406 | ERROR   | All output should be run through an escaping function (see the
	 |         | Security sections in the WordPress Developer Handbooks), found
	 |         | '$this'.
--------------------------------------------------------------------------------------

Answer 1 · 2019-06-29T09:19:32.000Z

@seezee thanks for posting. There's quite a large PR that needs to be merged that will fix a lot of the WPCS issues #76. I'm in the process of reviewing with an aim to merge it in the coming weeks.

Answer 2 · 2019-06-29T10:33:00.000Z

@seezee TravisCI checks are now passing 🎉