Form Security: nonce vs. jQuery

jQuery is a js library not a transport protocol, your data is sent via GET or POST, wether you use jquery or not.

Think of it like this, sometimes it’s the user in the first frame, sometimes it’s javascript:

enter image description here

Firstly nonces are not the same as sanitisation, they have different purposes

Sanitisation is about verifying what the source says is in the correct format, checking for misformatted data, and catching when malicious data is sent.

Nonces are cryptographic tokens that ensure that the user is sending the request from the correct place, with the correct permission. The user could only have gotten that security token if they were in the right place at the right time ( remember the bug when you could put an image in your content but the src attribute didnt point to an image, it pointed to a facebook logout URL? That’s what nonces are there to prevent ).

So use both.

Also, client side sanitisation isn’t enough. What if I turn off Javascript, or there’s an error preventing the sanitisation running?

See here:
https://stackoverflow.com/questions/3483514/why-is-client-side-validation-not-enough

You need PHP level sanitisaiton too, it’s unavoidable. Never trust anything the client/browser sends you. It may not even be a browser or your page sending it.

Suggested topics of research:

Related Posts:

  1. Do I require the use of nonce?
  2. Security – Ajax and Nonce use [closed]
  3. Ajax loaded form replaces form action with Ajax url
  4. prevent default not stopping page refresh. Passing form information to and from php with ajax in a wordpress site
  5. Why ajax doesn’t work on certain wordpress hooks and reload the page instead?
  6. Show success or error messages in Ajax response to WordPress custom registration form
  7. WordPress admin-ajax.php 400 bad request
  8. Ajax contact form return 0
  9. How to use the wpsnonce clone post link?
  10. Implement jQuery Smart wizard
  11. Form not working as it should in WordPress, but in a normal HTML site it does
  12. Submitting my form to the database and then redirecting to payment site
  13. Nonce fail after second submit attempt
  14. Using Nonce for my Form
  15. ajax form function error
  16. How to correctly submit a search form and display the result in an independent page
  17. Metabox repeating fields – radio buttons not saving correctly
  18. Jquery no more loading, load-scripts.php not found (404)
  19. How to handle a custom form in wordpress to submit to another page?
  20. How to use WordPress (PHP) functions in AngularJS partials files?
  21. Creating a WordPress form with a PHP script and default header
  22. Remove commas from WooCommerce checkout addresses fields
  23. Using an Image Slider twice on the same page
  24. Getting the dropdown menu to redirect to different pages?
  25. When must I use and verify nonce?
  26. What SQL / WordPress queries would need a nonce?
  27. JQuery not working on WordPress Admin page [closed]
  28. Asking popup for delete post in WordPress [closed]
  29. jQuery .each to get post meta and subtract from a sum
  30. Adding Custom Forms
  31. How do I let users upload files to a chosen location?
  32. How to test nonce with AJAX – Plugin development
  33. WP nonce invalid
  34. Slider loading issue
  35. How to limit the number of forgot password reset attempts in WordPress?
  36. Modify HTML structure of fields in woocommerce checkout form
  37. AJAX pagination, update current page
  38. Limit Widgets to Sidebar ID’s
  39. How can I get the values of my WordPress $wpdb query in Jquery?
  40. How to add a do_action on refreshing of WP customizer?
  41. WordPress Multiple Navigation bars
  42. Styling my own password protected page, how to deal with wrong password?
  43. Add / Update Custom Fields After Select Pictures in Media Window
  44. Login to wordpress by clicking a link and specifying usernaname and password in url
  45. Pull GetOption() variable into jQuery dynamically created html
  46. Royalty-Free Sliders used in theme development
  47. Trying do build a contact form
  48. Error – ‘create_function is deprecated’ [closed]
  49. How to execute html code inside php?
  50. Double jQuery loaded
  51. Trying to prepend a Hashtag symbol to the_tags links [closed]
  52. Javascript not loading on certain page
  53. What is the alternative code to if (isset ($_POST) && !empty ($_POST) to avoid warnings?
  54. Ajax search shows all results when user empties input?
  55. Why i can’t get custom fields value or post ID via Ajax?
  56. Get uploaded image and attach it to the new post
  57. Admin-ajax php not working on new wordpress version
  58. PHP Contact form
  59. Adding Additional Variables on Menus Page
  60. form $_post action value gets truncated after it passes through two forms
  61. Add a counter for mouseovers (custom field)
  62. Accessing an API with jQuery and AJAX
  63. Unexpected token ILLEGAL, even on clean install – jquery-issue?
  64. Admin Menu new tab external link
  65. What should I write in the post action of this front end post form?
  66. How to set variables with AJAX request to use in another function in WordPress
  67. Contact form – problem with displaying message about sent mail
  68. WordPress Custom Form – Getting Query Vars, Weird Glitch?
  69. Add other class content with reference class value
  70. Ajax result show in console if is called outside function and not showing in array
  71. Form from within a page
  72. I want to retrieve the email or username data entered for password reset, but failed. how can I do it?
  73. How to change PHP variables with AJAX request in WordPress
  74. How to change this ajax function to submit to the default wordpress content area instead of the custom field ‘seller notes’?
  75. wp_ajax_ 400 Bad Request
  76. form submission reverts to index.php template
  77. update_post_meta Not Processing Array Data (Not Sure What I Am Missing)
  78. How to call a function from functions.php with ajax?
  79. Adding action item to admin users table and sending email
  80. Using Custom Javascript and pHp to send email to myself when a user clicks on an input button but only works on Chrome, IE, and Micorosft Edge
  81. How to call javascript function (jquery) in a shortcode?
  82. Passed variable gets undefined variable error on insert on next page
  83. ajax form with multiple submit buttons and values
  84. Adding unique marketing messages between certain products whilst using isotope/Infinite Scroll
  85. Pass php to database in JQuery: With AJAX?
  86. Why this plugin is not working?
  87. Trying to fix multiple category drop down
  88. Adding javascript files to WordPress and jQuery version
  89. Display default WordPress login/registration form into a modal window
  90. Send foreach $_post method to contact form 7 [closed]
  91. ACF repeater image in video poster with jquery
  92. Use HTML Form Data in PHP Function – WordPress Admin Page
  93. Contact form with dynamic dropdown and filter
  94. Redirect loop upon installation of my plugin
  95. Field validation strlen works in php7.4 fails 8.1 [closed]
  96. Embed PHP script into WP – what is the best way
  97. getJSON response to PHP
  98. Preventing script injections in HTML form
  99. generate excerpt from the part of big text dump that contains keyword
  100. Can’t insert into a database wordpress