Add to settings custom nonce function

[jcvignoli]

Hi there,

In my WP plugin, I just added a custom function that checks the nonce:

	/**
	 * Validate nonce
	 *
	 * @param string $nonce_action Action for nonce
	 * @param string $nonce_field Field name in $_POST or $_GET
	 * @return bool True if nonce is valid
	 */
	protected function is_valid_nonce( string $nonce_action, string $nonce_field ): bool {
		return isset( $_POST[ $nonce_field ] ) && is_string( $_POST[ $nonce_field ] ) && wp_verify_nonce( sanitize_key( $_POST[ $nonce_field ] ), $nonce_action ) > 0;
	}
}

With PHPCS, i just declared a property customNonceVerificationFunctions, and it is correctly handled.

But with plugin-check-action, I don't know how tho handle this custom function, since in functions using is_valid_nonce(), it triggers WordPress.Security.NonceVerification.Missing warning.

I can obviously avoid the warnings using ignore-codes, but it doesn't seem to me a sustainable solution.

[swissspidy]

Great question.

We could probably add a filter to allow setting things like customNonceVerificationFunctions, customSanitizingFunctions and customUnslashingSanitizingFunctions. But that would require some code in another plugin to set these. And obviously you wouldn't be able to set them during the plugin submission in the plugin directory.

[jcvignoli]

Since PHPCS allows to define "noncer" functions, would be a necessary improvement in my view ;)

[swissspidy]

I just opened WordPress/plugin-check#901 to track this enhancement to the plugin itself.

So changing this action to add support for that is blocked by it.