ProperEscapingFunction: only trigger on function calls

While unlikely, a class or constant could be declared which uses the same name as one of the target functions. In that case, the sniff should not trigger an error. This adds a safeguard to verify if something is a function call and bows out if not. Includes unit test.
Automattic · Apr 14, 2021 · 786796d · 786796d
1 parent 8f88c17
commit 786796d
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php b/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
@@ -100,6 +100,12 @@ public function process_token( $stackPtr ) {
 			return;
 		}
 
+		$next_non_empty = $this->phpcsFile->findNext( Tokens::$emptyTokens, ($stackPtr + 1), null, true);
+		if ($next_non_empty === false || $this->tokens[$next_non_empty]['code'] !== T_OPEN_PARENTHESIS) {
+			// Not a function call.
+			return;
+		}
+
 		$html = $this->phpcsFile->findPrevious( $this->echo_or_concat_tokens, $stackPtr - 1, null, true );
 
 		// Use $textStringTokens b/c heredoc and nowdoc tokens will never be encountered in this context anyways..

diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc
@@ -80,3 +80,5 @@ echo "<div $someAttributeName-url=\"" . esc_html($url) . '">'; // Error.
 echo '<a href="',  esc_html($url), '">'; // Error.
 
 echo '<a href=', esc_html($url), '>'; // Error.
+
+echo 'data-param-url="' . Esc_HTML::static_method( $share_url ) . '"'; // OK.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -80,3 +80,5 @@ echo "<div $someAttributeName-url=\"" . esc_html($url) . '">'; // Error.
		echo '<a href="', esc_html($url), '">'; // Error.

		echo '<a href=', esc_html($url), '>'; // Error.

		echo 'data-param-url="' . Esc_HTML::static_method( $share_url ) . '"'; // OK.