Skip to content

Commit d0e0fd3

Browse files
dingo-ddingo-d
authored
Merge pull request #2378 from anomiex/add/escapeoutput-error-codes-for-error-generation
Security/EscapeOutputSniff: More modular error codes
2 parents 81f40bc + f5590ce commit d0e0fd3

File tree

1 file changed

+13
-11
lines changed

1 file changed

+13
-11
lines changed

WordPress/Sniffs/Security/EscapeOutputSniff.php

Lines changed: 13 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -263,7 +263,7 @@ public function process_token( $stackPtr ) {
263263

264264
// Examine each parameter individually.
265265
foreach ( $params as $param ) {
266-
$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ) );
266+
$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ), 'ExceptionNotEscaped' );
267267
}
268268

269269
return $end;
@@ -446,12 +446,13 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
446446
*
447447
* @since 3.0.0 Split off from the process_token() method.
448448
*
449-
* @param int $start The position to start checking from.
450-
* @param int $end The position to stop the check at.
449+
* @param int $start The position to start checking from.
450+
* @param int $end The position to stop the check at.
451+
* @param string $code Code to use for the PHPCS error.
451452
*
452453
* @return int Integer stack pointer to skip forward.
453454
*/
454-
protected function check_code_is_escaped( $start, $end ) {
455+
protected function check_code_is_escaped( $start, $end, $code = 'OutputNotEscaped' ) {
455456
/*
456457
* Check for a ternary operator.
457458
* We only need to do this here if this statement is lacking parenthesis.
@@ -532,7 +533,7 @@ protected function check_code_is_escaped( $start, $end ) {
532533

533534
// Handle PHP 8.0+ match expressions.
534535
if ( \T_MATCH === $this->tokens[ $i ]['code'] ) {
535-
$match_valid = $this->walk_match_expression( $i );
536+
$match_valid = $this->walk_match_expression( $i, $code );
536537
if ( false === $match_valid ) {
537538
// Live coding or parse error. Shouldn't be possible as PHP[CS] will tokenize the keyword as `T_STRING` in that case.
538539
break; // @codeCoverageIgnore
@@ -553,7 +554,7 @@ protected function check_code_is_escaped( $start, $end ) {
553554
$array_items = PassedParameters::getParameters( $this->phpcsFile, $i, 0, true );
554555
if ( ! empty( $array_items ) ) {
555556
foreach ( $array_items as $array_item ) {
556-
$this->check_code_is_escaped( $array_item['start'], ( $array_item['end'] + 1 ) );
557+
$this->check_code_is_escaped( $array_item['start'], ( $array_item['end'] + 1 ), $code );
557558
}
558559
}
559560

@@ -699,7 +700,7 @@ protected function check_code_is_escaped( $start, $end ) {
699700
$formatting_params = PassedParameters::getParameters( $this->phpcsFile, $i );
700701
if ( ! empty( $formatting_params ) ) {
701702
foreach ( $formatting_params as $format_param ) {
702-
$this->check_code_is_escaped( $format_param['start'], ( $format_param['end'] + 1 ) );
703+
$this->check_code_is_escaped( $format_param['start'], ( $format_param['end'] + 1 ), $code );
703704
}
704705
}
705706

@@ -754,7 +755,7 @@ protected function check_code_is_escaped( $start, $end ) {
754755
$this->phpcsFile->addError(
755756
"All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '%s'.",
756757
$ptr,
757-
'OutputNotEscaped',
758+
$code,
758759
array( $content )
759760
);
760761
}
@@ -825,11 +826,12 @@ private function find_long_ternary( $start, $end ) {
825826
*
826827
* @since 3.0.0
827828
*
828-
* @param int $stackPtr Pointer to a T_MATCH token.
829+
* @param int $stackPtr Pointer to a T_MATCH token.
830+
* @param string $code Code to use for the PHPCS error.
829831
*
830832
* @return int|false Stack pointer to skip to or FALSE if the match expression contained a parse error.
831833
*/
832-
private function walk_match_expression( $stackPtr ) {
834+
private function walk_match_expression( $stackPtr, $code ) {
833835
if ( ! isset( $this->tokens[ $stackPtr ]['scope_opener'], $this->tokens[ $stackPtr ]['scope_closer'] ) ) {
834836
// Parse error/live coding. Shouldn't be possible as PHP[CS] will tokenize the keyword as `T_STRING` in that case.
835837
return false; // @codeCoverageIgnore
@@ -889,7 +891,7 @@ private function walk_match_expression( $stackPtr ) {
889891
}
890892

891893
// Now check that the value returned by this match "leaf" is correctly escaped.
892-
$this->check_code_is_escaped( $item_start, $item_end );
894+
$this->check_code_is_escaped( $item_start, $item_end, $code );
893895

894896
// Independently of whether or not the check was succesfull or ran into (parse error) problems,
895897
// always skip to the identified end of the item.

0 commit comments

Comments
 (0)