Merge pull request #116 from Automattic/any-url-param-should-be-escap…

…ed-using-esc-url Adding open attribute ending with `url` to the ProperEscapingFunction sniff
Automattic · Nov 30, 2017 · 153bd66 · 153bd66
2 parents 8ec9fd5 + a050233
commit 153bd66
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/WordPressVIPMinimum/Sniffs/VIP/ProperEscapingFunctionSniff.php b/WordPressVIPMinimum/Sniffs/VIP/ProperEscapingFunctionSniff.php
@@ -103,7 +103,7 @@ public function process( File $phpcsFile, $stackPtr ) {
 	 */
 	public function is_href_or_src( $content ) {
 		$is_href_or_src = false;
-		foreach ( array( 'href', 'src' ) as $attr ) {
+		foreach ( array( 'href', 'src', 'url' ) as $attr ) {
 			foreach ( array(
 				'="',
 				"='",

diff --git a/WordPressVIPMinimum/Tests/VIP/ProperEscapingFunctionUnitTest.inc b/WordPressVIPMinimum/Tests/VIP/ProperEscapingFunctionUnitTest.inc
@@ -25,3 +25,13 @@ echo "<a title='" . esc_html( $some_var ) . "'></a>"; // NOK.
 <a href="<?php esc_url( $url );?>"></a> <!-- OK. -->
 
 <a title="<?php esc_attr( $url );?>"></a> <!-- OK. -->
+
+<?php
+
+echo '<media:content url="' . esc_url( $post_image ) . '" medium="image">'; // OK.
+
+echo '<media:content url="' . esc_attr( $post_image ) . '" medium="image">'; // NOK.
+
+echo 'data-param-url="' . esc_url( $share_url ) . '"'; // OK.
+
+echo 'data-param-url="' . esc_html( $share_url ) . '"'; // NOK.
diff --git a/WordPressVIPMinimum/Tests/VIP/ProperEscapingFunctionUnitTest.php b/WordPressVIPMinimum/Tests/VIP/ProperEscapingFunctionUnitTest.php
@@ -29,6 +29,8 @@ public function getErrorList() {
 			17 => 1,
 			21 => 1,
 			23 => 1,
+			33 => 1,
+			37 => 1,
 		);
 	}
-Original file line number
+Diff line change
@@ Expand Up / @@ -29,6 +29,8 @@ public function getErrorList() { @@
 => 1,
 => 1,
 => 1,
+=> 1,
+=> 1,
     		);
     	}
@@ Expand Down @@