Should nonce be sanitized?

Sanitizing is required when you are inserting user input into Database or outputting it in HTML etc. Here, you are simply doing a String comparison.

wp_verify_nonce function checks $nonce value like this:

if ( hash_equals( $expected, $nonce ) ) {
    return 1;
}

For this you don’t need sanitizing. So the following is fine:

wp_verify_nonce( $_GET['some_nonce'], 'some_nonce' );

Related Posts:

  1. Should I sanitize an email address before passing it to the is_email() function?
  2. Escaping and sanitizing SVGs in metabox textarea
  3. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  4. Reason for Lowercase usernames
  5. What is the best way to sanitize data?
  6. esc_url removes white space. Can I change that to using ‘-‘?
  7. WP Coding standards – escaping the inescapable?
  8. Sanitatizing when using the posts_where hook
  9. Escape hexadecimals/rgba values
  10. Must I serialize/sanitize/escape array data before using set_transient?
  11. Echo JavaScript Safely
  12. wp_kses ignore allowed and allow everything
  13. Sanitize array callback for the WordPress Settings API
  14. How to escape $_GET and check if isset?
  15. What’s a safe / good way to output HTML safely within WordPress templates?
  16. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  17. Sanitizing output that contains quotes?
  18. WP_Customize_Manager: How to get control ID
  19. How to use wp_filter_oembed_result?
  20. Sanitization html output itself
  21. Post text sanitization after publishing/editing – changes are not saved
  22. wp_set_object_terms() without accents
  23. Escaping data from database (users table) is necessary?
  24. Properly sanitize an input field “Name “
  25. What is the proper way to sanitize $_POST and $_GET vars?
  26. Why is sanitize_text_field() selectively trimming data?
  27. Custom page with variables in url. Nice url with add_rewrite_rule
  28. Escaping WP_Query tax_query when term has special character(s)
  29. Is it safe to assume that a nonce may be validated more than once?
  30. Can I create customizer setting that can handle plugin shortcode?
  31. Nonce in settings API with tabbed navigation
  32. Using Nonces for AJAX that only retrieves data
  33. How to verify nonce from Bulk/Quick Edit in save_post?
  34. Default WordPress settings API data sanitization
  35. Should I sanitize custom post meta if it is going to be escaped later?
  36. Reduce nonce lifespan
  37. How to display data from custom table in wordpress database?
  38. Remove tinyMCE from admin and replace with textarea
  39. Ajax function returns -1
  40. wp_verify_nonce always returns false when logged in as admin
  41. how to get nonce using json api
  42. Confusion on WP Nonce usage in my Plugin
  43. array_map() for sanitizing $_POST
  44. increase nonce lifespan
  45. Correct processing of `$_POST`, following WordPress Coding Standards
  46. why is esc_html() returning nothing given a string containing a high-bit character?
  47. AJAX requests broken due to HTTPS for wp-admin
  48. Full page NGINX (or Cloudflare) caching and WordPress nonces
  49. Why save_post_$(custom_post_type) is fired even if I am not already saving a post?
  50. Why am I getting a 403 from check_admin_referer()?
  51. Security checking in meta_box save is reluctant?
  52. How to check an ajax nonce in PHP
  53. Settings API – sanitize_callback is not called and it leads to an incorrect behavior
  54. Best Practice for Validating and Sanitizing Data
  55. Storing HTML in wp_options
  56. Help with forms and nonces
  57. how to send Ajax request in wordpress backend
  58. WP Admin AJAX Security – using POST to include a relative URL
  59. Modify automatically generation of slug when term is created
  60. Can i use the same sanitize function on multiple theme mod textboxes?
  61. wp_create_nonce() in REST API makes user->ID zero
  62. ajax nonce verification failing
  63. Found 2 elements with non-unique id (#_ajax_nonce) and (#_wpnonce)
  64. Customizer: Category Select Sanitize
  65. Prevent invalid or empty values from being saved to the database and retain the form field values upon error
  66. Change wp_sanitize function?
  67. Can you have more than one nonce on a page?
  68. Form Security: nonce vs. jQuery
  69. wp_nonce_field is breaking form for reasons unknown
  70. Nonce doesn’t validate in nopriv call
  71. Trouble creating custom sanitization function for user list dropdown
  72. Should I use wp_nonce_field on my contact form?
  73. How to allow certain PHP functions when using sanitize_callback in the word press customizer
  74. Why does check_ajax_referer give a 403 error on https websites?
  75. WordPress is creating nonce as a logged in user but verifying it incorrectly
  76. Display the line breaks in user bio without using html
  77. Change user nicename without sanitize
  78. Where to use nonce
  79. How can I apply custom sanitization to new usernames?
  80. How do I sanitize the str_replace function in javascript variables
  81. Sanitizing textarea for wp_insert_post with TinyMCE enabled or disabled
  82. Nonce for Trashing Item
  83. Safely store code(html/js..) into database
  84. How to verify which WordPress user requested the API in ASP .NET Core?
  85. Reliable way to add nonce to HTTP Header in WordPress?
  86. wp_nonce vs jwt
  87. Using a nonce Content Security Policy header for style-src for inline style elements returns errors
  88. wp_verfy_nonce keeps giving false
  89. Where is the HTML-handler part in the wpdb class?
  90. Override plugin function to show invoices even if not logged in
  91. Can we validate data from jquery
  92. 403 Forbidden on site logo image upload
  93. Nonce and widget
  94. Is it necessary to use a WordPress nonce when allowing users to download public data?
  95. Custom-Metaboxes-and-Fields text_url field prepending http://
  96. Data validation for inline javascript
  97. Wp doesn’t save meta box data
  98. esc_url, esc_url_raw or sanitize_url?
  99. Nonce code vulnerability
  100. sanitize meta input

Leave a Comment