The general guideline is that we should sanitize all user input before using them.
Now my questions is whether this applies to nonce or not.
Which one is correct?
wp_verify_nonce( sanitize_text_field( $_GET['some_nonce'] ), 'some_nonce' );
or
wp_verify_nonce( _GET['some_nonce'], 'some_nonce' );
1 Answer
Sanitizing is required when you are inserting user input into Database or outputting it in HTML etc. Here, you are simply doing a String comparison.
wp_verify_nonce function checks $nonce value like this:
if ( hash_equals( $expected, $nonce ) ) {
return 1;
}
For this you don’t need sanitizing. So the following is fine:
wp_verify_nonce( $_GET['some_nonce'], 'some_nonce' );