Dealing with nonces inside a custom validation function

  • Resolved Matt Bernhardt

    (@morphosis7)


    6 years, 6 months ago

    I am trying to sort out the best way to write a custom validation function that doesn’t run afoul of various WordPress coding standards.

    I am trying to write a small plugin that extends CF7 with some custom form fields that our organization uses frequently, one of which needs a validation function to be able to set the field to be required.

    The simple validation function that I wrote using the documentation is here:
    https://github.com/MITLibraries/mitlib-cf7-elements/blob/master/mitlib-cf7-elements.php#L53-L63

    This function works fine, but it is being flagged by coding standards for not checking a nonce. I found the portion of the documentation to enable nonces for these forms via wp-config.php, and I’ve been able to alter the validation function to check for the nonce existing, but when I try to run wp_verify_nonce() things seem to go sideways.

    Am I off base in trying to implement nonces within a custom validation script? When I look at the documentation for wp_verify_nonce(), I see an optional $action parameter, which I can pass in to match one used during nonce creation. Is there such a string used by CF7?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Takayuki Miyoshi

    (@takayukister)

    You don’t need to implement nonce verification in your custom validation filter since Contact Form 7 does it in its core process.

    See also: https://contactform7.com/2017/08/18/contact-form-7-49/

    Thread Starter Matt Bernhardt

    (@morphosis7)

    So should I ignore the code validation errors on a validation function like this?

    
function validate_dlc_filter( $result, $tag ) {
	// Check if the field is marked as required.
	if ( 'select_dlc*' == $tag->type ) {
		// Has the DLC name been set?
		if ( empty( $_POST['department'] ) || '' == sanitize_text_field( wp_unslash( $_POST['department'] ) ) ) {
			$result->invalidate( $tag, 'Please specify your department, lab, or center.' );
		}
	}
	return $result;
}
add_filter( 'wpcf7_validate_select_dlc*', 'validate_dlc_filter', 20, 2 );

    When I run this through PHPCS using the WordPress coding standards, I get flagged for “Processing form data without nonce verification.” – the actual standard mentioned is WordPress.CSRF.NonceVerification.NoNonceVerification

    Plugin Author Takayuki Miyoshi

    (@takayukister)

    I’m not sure. I don’t see any issue in your code so I think you can ignore the error.

    Thread Starter Matt Bernhardt

    (@morphosis7)

    Fair enough – after code review with another developer here, we’ve chosen to remove the nonce check entirely anyway, and just add the failing test to our whitelist.

    Thanks for your quick responses! I’m marking this as closed now.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Dealing with nonces inside a custom validation function’ is closed to new replies.