Should nonce be sanitized?

Sanitizing is required when you are inserting user input into Database or outputting it in HTML etc. Here, you are simply doing a String comparison.

wp_verify_nonce function checks $nonce value like this:

if ( hash_equals( $expected, $nonce ) ) {
    return 1;
}

For this you don’t need sanitizing. So the following is fine:

wp_verify_nonce( $_GET['some_nonce'], 'some_nonce' );

Related Posts:

  1. Should I sanitize an email address before passing it to the is_email() function?
  2. Escaping and sanitizing SVGs in metabox textarea
  3. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  4. Reason for Lowercase usernames
  5. What is the best way to sanitize data?
  6. esc_url removes white space. Can I change that to using ‘-‘?
  7. WP Coding standards – escaping the inescapable?
  8. Sanitatizing when using the posts_where hook
  9. Escape hexadecimals/rgba values
  10. Must I serialize/sanitize/escape array data before using set_transient?
  11. Echo JavaScript Safely
  12. wp_kses ignore allowed and allow everything
  13. Sanitize array callback for the WordPress Settings API
  14. How to escape $_GET and check if isset?
  15. What’s a safe / good way to output HTML safely within WordPress templates?
  16. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  17. Sanitizing output that contains quotes?
  18. WP_Customize_Manager: How to get control ID
  19. How to use wp_filter_oembed_result?
  20. Sanitization html output itself
  21. Post text sanitization after publishing/editing – changes are not saved
  22. wp_set_object_terms() without accents
  23. Escaping data from database (users table) is necessary?
  24. Properly sanitize an input field “Name “
  25. Sanitize a custom date meta field
  26. What is the proper way to sanitize $_POST and $_GET vars?
  27. Why is sanitize_text_field() selectively trimming data?
  28. what is a good method to sanitize the whole $_POST array in php?
  29. wp_verify_nonce vs check_admin_referer
  30. Is sanitize_title enough to generate post slugs?
  31. Do I need a nonce field for every meta box I add to my custom post type admin?
  32. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  33. wordpress sanitize array?
  34. Data sanitization: Best Practices with code examples
  35. How does nonce verification work?
  36. Can I use the same nonce for multiple requests on the same page?
  37. How safe / sanitized is wp_insert_posts()?
  38. Should HTML output be passed through esc_html() AND wp_kses()?
  39. When to use esc_html and when to use sanitize_text_field?
  40. How to get a unique nonce for each Ajax request?
  41. Nonce retrieved from the REST API is invalid and different from nonce generated in wp_localize_script
  42. Are Nonces Useless?
  43. How to safely sanitize a textarea which takes full HTML input
  44. How to use nonce with front end submission form?
  45. Sanitize and data validation with apply_filters() function
  46. Custom page with variables in url. Nice url with add_rewrite_rule
  47. Sanitize content from wp_editor
  48. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  49. What’s the difference between esc_* functions?
  50. Extend WordPress (4.x) session and nonce
  51. Nonces can be reused multiple times? Bug / Security issue?
  52. is_email() VS sanitize_email()
  53. Sanitizing integer input for update_post_meta
  54. How to expire a nonce?
  55. Sanitize User Entered CSS
  56. Which KSES should be used and when?
  57. How do WordPress Nonces Work?
  58. Is sanitize_text_field() is enough to save to DB?
  59. Settings API – sanitizing urls, email addresses and text
  60. What is the difference between esc_html and wp_filter_nohtml_kses?
  61. Nonces and Cache
  62. How to escape custom css?
  63. How do I create a user using the new JSON api in 4.7?
  64. AJAX nonce with check_ajax_referer()
  65. Verify nonce in REST API?
  66. Is wp_nonce_field vulnerable if you know the action name?
  67. Escaping quotes from shortcode attributes
  68. Sanitation needed for WP_Query or get_posts calls?
  69. Escaping WP_Query tax_query when term has special character(s)
  70. Using nonce in menu item
  71. Is it safe to assume that a nonce may be validated more than once?
  72. How to allow HTML tags into WP Bakery (formerly Visual Composer) `textfield` parameter
  73. Multiple ajax nonce requests
  74. Can I create customizer setting that can handle plugin shortcode?
  75. What is nonce and how to use it with Ajax in WordPress? [duplicate]
  76. How to sanitize select box values in post meta?
  77. Do I require the use of nonce?
  78. Does WordPress sanitize arguments to WP_Query?
  79. Getting “The link you followed has expired” when adding custom post [closed]
  80. WP doesn’t show Array Custom Fields?
  81. Make shortcode work with nested double quotes
  82. Do Cookies Need to be Sanatized Before Being Saved?
  83. Nonce in settings API with tabbed navigation
  84. Using Nonces for AJAX that only retrieves data
  85. Shortcode putting html such as
  86. WordPress REST API call generates nonce twice on every call
  87. WordPress “Link has expired” error on updating posts
  88. How to properly sanitize strings without $wpdb->prepare?
  89. How to verify nonce from Bulk/Quick Edit in save_post?
  90. Default WordPress settings API data sanitization
  91. How do I sanitize a javascript text?
  92. Fatal error: Call to undefined function wp_create_nonce()
  93. How to add/retrieve the post trash link?
  94. What is the difference between strip_tags and wp_filter_nohtml_kses?
  95. Handling nonces for actions from guests to logged-in users
  96. Using nonce external of WP Admin
  97. How to add WordPress nonces to ajax request
  98. Importing JSON feed should the content be sanitized?
  99. how to sanitize checkbox input?
  100. Nonce best practices: hidden input vs. wp_localize_script?

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)