Should nonce be sanitized?

Sanitizing is required when you are inserting user input into Database or outputting it in HTML etc. Here, you are simply doing a String comparison.

wp_verify_nonce function checks $nonce value like this:

if ( hash_equals( $expected, $nonce ) ) {
    return 1;
}

For this you don’t need sanitizing. So the following is fine:

wp_verify_nonce( $_GET['some_nonce'], 'some_nonce' );

Related Posts:

  1. Should I sanitize an email address before passing it to the is_email() function?
  2. Escaping and sanitizing SVGs in metabox textarea
  3. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  4. Reason for Lowercase usernames
  5. What is the best way to sanitize data?
  6. esc_url removes white space. Can I change that to using ‘-‘?
  7. WP Coding standards – escaping the inescapable?
  8. Sanitatizing when using the posts_where hook
  9. Escape hexadecimals/rgba values
  10. Must I serialize/sanitize/escape array data before using set_transient?
  11. Echo JavaScript Safely
  12. wp_kses ignore allowed and allow everything
  13. Sanitize array callback for the WordPress Settings API
  14. How to escape $_GET and check if isset?
  15. What’s a safe / good way to output HTML safely within WordPress templates?
  16. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  17. Sanitizing output that contains quotes?
  18. WP_Customize_Manager: How to get control ID
  19. How to use wp_filter_oembed_result?
  20. Sanitization html output itself
  21. Post text sanitization after publishing/editing – changes are not saved
  22. wp_set_object_terms() without accents
  23. Escaping data from database (users table) is necessary?
  24. Properly sanitize an input field “Name “
  25. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  26. wordpress sanitize array?
  27. Should HTML output be passed through esc_html() AND wp_kses()?
  28. Are Nonces Useless?
  29. How to use nonce with front end submission form?
  30. Sanitize content from wp_editor
  31. Extend WordPress (4.x) session and nonce
  32. How to expire a nonce?
  33. Sanitize User Entered CSS
  34. Which KSES should be used and when?
  35. How do WordPress Nonces Work?
  36. Verify nonce in REST API?
  37. Do I require the use of nonce?
  38. Shortcode putting html such as
  39. How to add/retrieve the post trash link?
  40. how to sanitize checkbox input?
  41. Security – Ajax and Nonce use [closed]
  42. “The link you followed has expired” when previewing a post
  43. Undefined index: at_nonce in custom post metabox
  44. wp_verify_nonce keeps failing
  45. “Notice: Undefined index:” error when adding new content?
  46. Sanitizing `wp_editor();` Values for Database, Edit, and Display
  47. When is it useful to use wp_verify_nonce
  48. WordPress password reset – why post rp_key?
  49. How to save multiple metaboxes?
  50. Sanitizing search data for use with WP_Query
  51. Nonce failing in IE
  52. Nonce actions and names available via open source
  53. Nonces, AJAX, script variables & security in WordPress
  54. Multiple register settings, with same option name – issue
  55. How to get the wpnonce value?
  56. Filter string like a slug
  57. Sanitize textarea instead of input
  58. When must I use and verify nonce?
  59. Sanitizing, Validating and Escaping in WordPress (Plugin)
  60. How do I check if AJAX nonces are implemented correctly?
  61. Cannot get ‘sanitize_callback’ to work for rest parameters
  62. Change filename during upload
  63. wpdb get_results() and prepare when to use prepare?
  64. WP nonce invalid
  65. Preserve old values on error in setting API
  66. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  67. Data sanitization for user registration and user login
  68. Draft preview and customize permission problems on multisite main site
  69. Why ajax doesn’t work on certain wordpress hooks and reload the page instead?
  70. Handling expired nonces
  71. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  72. Is it safe to use a global wp nonce per user instead of a nonce per action?
  73. Does meta-data need to be sanitized?
  74. Backbone with custom rest endpoints
  75. Function sanitize_title() does not appear to be working
  76. Using nonce when loading posts with AJAX
  77. Several nonces?
  78. How to handle complex data with Settings API
  79. Toggle Shortcode Sanitize Title
  80. Saving custom data via ajax with nonces
  81. Sanitizing URL in a WordPress plugin
  82. Log in user using WordPress REST API
  83. WP_List_Table Inside Metabox With Bulk Actions Not Working on Submit
  84. how to sanitize customizer checkbox control
  85. How do I mitigate replay attacks when talking about actions that shouldn’t happen twice?
  86. do I need to sanitize a shortcode’s function input?
  87. How can I verify WordPress nonce from the following code?
  88. AJAX form not working, still reloads on submit
  89. Form Sanitization and Validation
  90. Data not displaying in text field
  91. Proper Way to Sanitize Meta Input
  92. Sanitize html, where to sanitize
  93. Save selectlist value (taxonomy) in wp:wp_set_object_terms
  94. Create nonce in frontend page to edit profile
  95. when saveing $meta_box i get Undefined index error
  96. Notice: Undefined index: in options-framework.php
  97. How to use esc_attr__() function properly to translate a variable that contains string?
  98. Weird nonce validation problem
  99. Saving metabox updates causing fatal error
  100. Extend file format support for post thumbnails

Leave a Comment