PHPCS - WordPress.Security.NonceVerification

[tijmenbruggeman]

Solved every violation of WordPress.Security.NonceVerification

Changes

• Remove the phpcs exclusion rule
• A tricky issue with the pagebuilder check. When working in a pagebuilder we didn't want to transform images to picture elements. Therefor we check for known pagebuilder parameters and skip transformation if we found one. When accessing the parameter we did not have a nonce check nor can have one because the parameters are set outside our domain. Fortunately filter_has_var is enough to verify the presence of a parameter so we can replace it. filter_has_var only reads from the initial input parameter so our unit tests cannot set $_GET. This forced me to override the variable check in the test.
• The ajax call for notifications did not contain a nonce. This has been added in admin.js. I also modernized the js and replaced jquery calls with plain js.
• removed the base check_ajax_referer and replaced it with core check_ajax_referer. This allows phpcs to be valid and we can steer its behaviour a bit better.

[Copilot]

Pull request overview

This PR removes the PHPCS exclusion for WordPress.Security.NonceVerification by adding/adjusting nonce verification across AJAX/admin flows, refactors the pagebuilder-request detection to avoid direct access to mutable superglobals, and updates the admin JS notice-refresh call to include a nonce while modernizing parts of the implementation.

Changes:

• Added/standardized nonce verification for several AJAX endpoints and added a nonce to the media bulk-action redirect URL.
• Moved “pagebuilder request” detection from Tiny_Helpers into Tiny_Picture, using filter_has_var() (with a test override hook).
• Updated admin.js to include a nonce on the tiny_image_sizes_notice request and replaced a jQuery .load() with fetch().

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
test/unit/TinyPictureTest.php	Adds a Tiny_Picture test override to allow unit tests to simulate GET vars.
test/unit/TinyHelpersTest.php	Removes tests for pagebuilder detection after moving the logic out of Tiny_Helpers.
src/views/compress-details.php	Stops parsing ids in the view; now relies on a variable passed from the plugin layer.
src/js/admin.js	Adds nonce to the image-sizes notice request and modernizes the request logic to fetch().
src/class-tiny-wp-base.php	Removes the base wrapper method for AJAX referer checks.
src/class-tiny-settings.php	Adds nonce verification for image_sizes_notice and switches settings AJAX to core check_ajax_referer.
src/class-tiny-plugin.php	Uses core check_ajax_referer, adds _tiny_nonce to bulk redirect, and verifies it when consuming ids.
src/class-tiny-picture.php	Introduces is_pagebuilder_request() using filter_has_var() with an override point for tests.
src/class-tiny-notices.php	Updates dismiss handler to use core check_ajax_referer.
src/class-tiny-helpers.php	Removes the old is_pagebuilder_request() helper implementation.
phpcs.xml	Removes the exclusion that disabled WordPress.Security.NonceVerification.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.