Skip to content

Fix WordPress Nonce Verification PHPCS Warnings#1025

Open
faisalahammad wants to merge 1 commit intowp-media:developfrom
faisalahammad:fix/issue-971-nonce-verification
Open

Fix WordPress Nonce Verification PHPCS Warnings#1025
faisalahammad wants to merge 1 commit intowp-media:developfrom
faisalahammad:fix/issue-971-nonce-verification

Conversation

@faisalahammad
Copy link

@faisalahammad faisalahammad commented Feb 27, 2026
edited
Loading

Summary

Fixes missing and improperly formatted phpcs:ignore comments causing PHPCS warnings about WordPress HTTP Variable Nonce Verification.

Fixes #971

Problem

PHP CodeSniffer raised multiple warnings for WordPress.Security.NonceVerification.Missing and WordPress.Security.NonceVerification.Recommended across various $_POST and $_GET data processing blocks. A recent ruleset update stopped suppressing these warnings globally, exposing poorly-formatted ignore tags and unignored conditionals.

Solution

Replaced outdated // WPCS: CSRF ok. comments with standard // phpcs:ignore tag syntax, placed them correctly before the code block they evaluate, and added explicit ignore tags immediately above isset() or empty() usages. Removed redundant use namespace declarations that caused Unit Tests to fail with Reflection classes.

Changes

inc/classes/class-imagify-settings.php

Before:

if ( isset( $_POST['imagify_settings'] ) ) { // WPCS: CSRF ok.

After:

// phpcs:ignore WordPress.Security.NonceVerification.Missing
if ( isset( $_POST['imagify_settings'] ) ) {

Why this works:
Standardized PHPCS annotations must strictly precede the evaluated lines to ensure the CodeSniffer properly parses and suppresses the warning instead of flagging valid application logic.

classes/Bulk/Bulk.php

Before:

if ( ! empty( $_POST['imagify_folder_type'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended
    $folder_type = sanitize_text_field( wp_unslash( $_POST['imagify_folder_type'] ) );

After:

// phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended
if ( ! empty( $_POST['imagify_folder_type'] ) ) {
    // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended
    $folder_type = sanitize_text_field( wp_unslash( $_POST['imagify_folder_type'] ) );

Why this works:
PHP CodeSniffer requires subsequent variable initializations referencing $_POST elements to also have an ignore directive natively above the assignment to squash subsequent validation errors.

Testing

Automated Tests

$ vendor/bin/phpcs --standard=phpcs.xml --sniffs=WordPress.Security.NonceVerification .
0 Errors
0 Warnings

$ composer run test-unit
Tests: 24, Assertions: 59
OK (24 tests, 59 assertions)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Coding Standards: WordPress security nonce verification

1 participant

@faisalahammad