PHPCS - WordPress.Security.NonceVerification by tijmenbruggeman · Pull Request #113 · tinify/wordpress-plugin

tijmenbruggeman · 2026-06-04T14:24:50Z

Solved every violation of WordPress.Security.NonceVerification

Changes

Remove the phpcs exclusion rule
A tricky issue with the pagebuilder check. When working in a pagebuilder we didn't want to transform images to picture elements. Therefor we check for known pagebuilder parameters and skip transformation if we found one. When accessing the parameter we did not have a nonce check nor can have one because the parameters are set outside our domain. Fortunately filter_has_var is enough to verify the presence of a parameter so we can replace it. filter_has_var only reads from the initial input parameter so our unit tests cannot set $_GET. This forced me to override the variable check in the test.
The ajax call for notifications did not contain a nonce. This has been added in admin.js. I also modernized the js and replaced jquery calls with plain js.
removed the base check_ajax_referer and replaced it with core check_ajax_referer. This allows phpcs to be valid and we can steer its behaviour a bit better.

tijmenbruggeman added 16 commits June 4, 2026 13:41

turn off NonceVerification

b9e2647

verify nonce when ids are in params

36cf591

remove variable instance for parameter

d165b4c

use core check_ajax_referer instead of inherited

ba5aec7

use filter_has_var to not access superglobal $_GET.

71866ff

ignore nonce verification due to limitation of phpcs

5680a87

add nonce check and modernize js

747762b

add core nonce check

58c2fd6

use core nonce check

9dd369a

remove unused ajax_referer on base

f8d2580

early return when possible

ffb8909

return early on image_sizes_notice

948381e

handle error

a67dfa7

camelcase

3ad482a

move pagebuilder check to picture and allow test to override behaviour

7e81fbc

format

fd02a6d

Provide feedback