Is there a way to correctly use sanitize_text_field and wp_unslash that doesn't cause psalm to error with "expects string, possibly different type"

Question

I am writing a WordPress plugin, and need to correctly unslash and sanitise a variable in PHP. I am using psalm as my static analysis tool, and it is identifying my code as containing a potential error:

// Check your nonce.
if ( isset( $_POST['_wpnonce'] ) ) {
    if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ) ) ) {
            // other code here
    }
}

Psalm shows this an an error (or warning, depending on the psalm level I set):

Argument 1 of sanitize_text_field expects string, possibly different type array<array-key, mixed>|string provided

I have tried various other ways of arranging the code above to prevent psalm from not presenting this warning, but I am unable to. (Yes, I am a aware that the reason the message is being displayed is because wp_unslash can return an string or an array).

For example, if I split the code up:

// Check your nonce.
if ( isset( $_POST['_wpnonce'] ) ) {
    $unslashed = wp_unslash( $_POST['_wpnonce'] );
    $sanitized = sanitize_text_field( $unslashed );
    if ( ! wp_verify_nonce( $sanitized ) ) {
        // other code here
    }
}

I then get the following psalm error:

Detected usage of a non-sanitized input variable: $_POST['_wpnonce']

Is there a way to arrange this code (without supressing the message) that will keep psalm happy, and also keep inline with the WordPress Coding Standards (e.g. you should unslash before you sanitize)?

Answer 1

You can use sanitize_key() to sanitize WP nonce. The following gets passed in WPCS

if ( isset( $_POST['_wpnonce'] ) && wp_verify_nonce( sanitize_key( $_POST['_wpnonce'] ) ) ) {
    echo 'hi';
}