From 22e31f708dd3c7b630e664dd130a5966dc6061f2 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sat, 26 Aug 2023 04:03:03 +0200 Subject: [PATCH] Security/Mustache: prevent false positives on block editor templates As reported in 541#issuecomment-1692323177. This commit fixes the issue + adds a test to safeguard the fix. --- WordPressVIPMinimum/Sniffs/Security/MustacheSniff.php | 2 +- WordPressVIPMinimum/Tests/Security/MustacheUnitTest.inc | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/WordPressVIPMinimum/Sniffs/Security/MustacheSniff.php b/WordPressVIPMinimum/Sniffs/Security/MustacheSniff.php index ac18f3c7..b026b443 100644 --- a/WordPressVIPMinimum/Sniffs/Security/MustacheSniff.php +++ b/WordPressVIPMinimum/Sniffs/Security/MustacheSniff.php @@ -45,7 +45,7 @@ public function register() { */ public function process_token( $stackPtr ) { - if ( strpos( $this->tokens[ $stackPtr ]['content'], '{{{' ) !== false || strpos( $this->tokens[ $stackPtr ]['content'], '}}}' ) !== false ) { + if ( strpos( $this->tokens[ $stackPtr ]['content'], '{{{' ) !== false && strpos( $this->tokens[ $stackPtr ]['content'], '}}}' ) !== false ) { // Mustache unescaped output notation. $message = 'Found Mustache unescaped output notation: "{{{}}}".'; $this->phpcsFile->addWarning( $message, $stackPtr, 'OutputNotation' ); diff --git a/WordPressVIPMinimum/Tests/Security/MustacheUnitTest.inc b/WordPressVIPMinimum/Tests/Security/MustacheUnitTest.inc index 3e53d63e..12e2cb37 100644 --- a/WordPressVIPMinimum/Tests/Security/MustacheUnitTest.inc +++ b/WordPressVIPMinimum/Tests/Security/MustacheUnitTest.inc @@ -17,4 +17,7 @@ echo '{{&data}}'; // NOK: data. return new Handlebars.SafeString(result); // NOK: SafeString. }); - \ No newline at end of file + + +// Issue 541#issuecomment-1692323177: don't flag GB syntax. +