[wp-trac] [WordPress Trac] #63866: Always sanitize the first parameter of wp_verify_nonce
WordPress Trac
noreply at wordpress.org
Mon Aug 25 00:41:20 UTC 2025
#63866: Always sanitize the first parameter of wp_verify_nonce
-------------------------+----------------------
Reporter: davidperez | Owner: (none)
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Security | Version:
Severity: normal | Resolution: wontfix
Keywords: 2nd-opinion | Focuses:
-------------------------+----------------------
Changes (by peterwilsoncc):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
@davidperez I'm afraid WordPress can't unslash the parameter sent to
`wp_verify_nonce()` for a couple of reasons:
* it assumes that the parameter is a form input, which is usually but not
always the case
* it could break sites with custom implementations of nonces by double
unslashing their data. For example the form input `pens\and\pencils` would
become `pensandpencils` after double unslashing.
For similar reasons, sanitization within the function could also become
problematic. WordPress does handle double sanitization but doing so makes
presumptions about the implementation.
As to whether the coding standards should require sanitization, there's a
big long discussion in the [https://github.com/WordPress/WordPress-Coding-
Standards/issues/869 WordPress Coding Standards issue tracker]. Feel free
to share all your thoughts there.
As this change can't be made without breaking backward compatibility, I'm
going to close the ticket as wontfix.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63866#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list