WordPress.Security.ValidatedSanitizedInput.MissingUnslash and WordPress.Security.ValidatedSanitizedInput.InputNotSanitized on unused SuperGlobals

[smileBeda]

Bug Description

WordPress.Security.ValidatedSanitizedInput.MissingUnslash and WordPress.Security.ValidatedSanitizedInput.InputNotSanitized are triggered on this type of code:

if ( isset( $_POST[ 'thing'] ) // here the flag is not triggered
    && $_POST[ 'thing'] // here the flags are triggered
) {

Note that $_POST['thing'] is never actually used - only checked upon. No matter what is passed in the super global, sanitizing or unlashing it wont change the result of this check, or in other words, allow an attack or else issue.

Minimal Code Snippet

if ( isset( $_POST[ 'thing'] ) // here the flag is not triggered
&& $_POST[ 'thing'] // here the flag is triggered
) {
do whatever else NOT using $_POST
}

---

1. The slashes do not affect the boolean value. "a \"quoted\" value" is still true.
2. We’re just checking presence and truthiness. We are never actually using the value.

Can this be remedied?