[wp-trac] [WordPress Trac] #63866: Always sanitize the first parameter of wp_verify_nonce
WordPress Trac
noreply at wordpress.org
Sat Aug 23 13:10:17 UTC 2025
#63866: Always sanitize the first parameter of wp_verify_nonce
-------------------------+------------------------------
Reporter: davidperez | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses:
-------------------------+------------------------------
Comment (by pruthviraj07):
Hi everyone,
From my understanding, the proposal here is to ensure that the first
parameter of `wp_verify_nonce()` is automatically sanitized internally, so
plugin and theme developers don’t need to repeatedly write:
{{{#!php
wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['field'] ) ),
'action' );
}}}
A possible change could be updating the function like so:
{{{#!php
$nonce = sanitize_text_field( (string) $nonce );
}}}
instead of only casting to string.
This way, sanitization becomes consistent across the ecosystem, and the
risk of developers forgetting to sanitize is reduced.
I’d like to work on preparing a patch with this modification. Before I
proceed, I’d love to hear feedback from core committers:
- Do we see this as a safe enhancement for backwards compatibility?
- Should sanitization be applied unconditionally, or only when the
`$nonce` is passed from `$_REQUEST`/`$_POST` contexts?
Thanks! Happy to iterate based on guidance.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63866#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list