From 99fb8bb8e2d6640c8a5e9b6c456e8db8c904befd Mon Sep 17 00:00:00 2001
From: david-binda <david.binovec@gmail.com>
Date: Fri, 19 Jan 2018 14:29:53 +0100
Subject: [PATCH] Flag attempt to escape function which prints it's output

Fixes #120
---
 .../VIP/EscapingVoidReturnFunctionsSniff.php  | 69 +++++++++++++++++++
 .../EscapingVoidReturnFunctionsUnitTest.inc   |  4 ++
 .../EscapingVoidReturnFunctionsUnitTest.php   | 39 +++++++++++
 3 files changed, 112 insertions(+)
 create mode 100644 WordPressVIPMinimum/Sniffs/VIP/EscapingVoidReturnFunctionsSniff.php
 create mode 100644 WordPressVIPMinimum/Tests/VIP/EscapingVoidReturnFunctionsUnitTest.inc
 create mode 100644 WordPressVIPMinimum/Tests/VIP/EscapingVoidReturnFunctionsUnitTest.php

diff --git a/WordPressVIPMinimum/Sniffs/VIP/EscapingVoidReturnFunctionsSniff.php b/WordPressVIPMinimum/Sniffs/VIP/EscapingVoidReturnFunctionsSniff.php
new file mode 100644
index 00000000..9912049e
--- /dev/null
+++ b/WordPressVIPMinimum/Sniffs/VIP/EscapingVoidReturnFunctionsSniff.php
@@ -0,0 +1,69 @@
+<?php
+/**
+ * WordPress-VIP-Minimum Coding Standard.
+ *
+ *  @package VIPCS\WordPressVIPMinimum
+ * @link https://github.com/Automattic/VIP-Coding-Standards
+ */
+
+namespace WordPressVIPMinimum\Sniffs\VIP;
+
+use PHP_CodeSniffer_File as File;
+use PHP_CodeSniffer_Tokens as Tokens;
+
+/**
+ * Flag suspicious WP_Query and get_posts params.
+ *
+ *  @package VIPCS\WordPressVIPMinimum
+ */
+class EscapingVoidReturnFunctionsSniff implements \PHP_CodeSniffer_Sniff {
+
+	/**
+	 * Returns an array of tokens this test wants to listen for.
+	 *
+	 * @return array
+	 */
+	public function register() {
+		return array(
+			T_STRING,
+		);
+	}
+
+	/**
+	 * Process this test when one of its tokens is encountered
+	 *
+	 * @param \PHP_CodeSniffer\Files\File $phpcsFile The file being scanned.
+	 * @param int                         $stackPtr  The position of the current token in the stack passed in $tokens.
+	 *
+	 * @return void
+	 */
+	public function process( File $phpcsFile, $stackPtr ) {
+
+		$tokens = $phpcsFile->getTokens();
+
+		if ( 0 !== strpos( $tokens[ $stackPtr ]['content'], 'esc_' ) && 0 !== strpos( $tokens[ $stackPtr ]['content'], 'wp_kses' ) ) {
+			// Not what we are looking for.
+			return;
+		}
+
+		$next_token = $phpcsFile->findNext( Tokens::$emptyTokens, ( $stackPtr + 1 ), null, true );
+
+		if ( T_OPEN_PARENTHESIS !== $tokens[ $next_token ]['code'] ) {
+			// Not a function call.
+			return;
+		}
+
+		$next_token = $phpcsFile->findNext( Tokens::$emptyTokens, ( $next_token + 1 ), null, true );
+
+		if ( T_STRING !== $tokens[ $next_token ]['code'] ) {
+			// Not what we are looking for.
+			return;
+		}
+
+		if ( 0 === strpos( $tokens[ $next_token ]['content'], '_e' ) ) {
+			$phpcsFile->addError( sprintf( 'Attempting to escape %s() which is printing it\'s output.', $tokens[ $next_token ]['content'] ), $stackPtr, 'escapingVoidReturningFunction' );
+			return;
+		}
+	}
+
+}
diff --git a/WordPressVIPMinimum/Tests/VIP/EscapingVoidReturnFunctionsUnitTest.inc b/WordPressVIPMinimum/Tests/VIP/EscapingVoidReturnFunctionsUnitTest.inc
new file mode 100644
index 00000000..9a9de966
--- /dev/null
+++ b/WordPressVIPMinimum/Tests/VIP/EscapingVoidReturnFunctionsUnitTest.inc
@@ -0,0 +1,4 @@
+<?php
+
+esc_html( _e( $something ) ); // NOK.
+esc_html( __( $something ) ); // NOK.
\ No newline at end of file
diff --git a/WordPressVIPMinimum/Tests/VIP/EscapingVoidReturnFunctionsUnitTest.php b/WordPressVIPMinimum/Tests/VIP/EscapingVoidReturnFunctionsUnitTest.php
new file mode 100644
index 00000000..bfa2e372
--- /dev/null
+++ b/WordPressVIPMinimum/Tests/VIP/EscapingVoidReturnFunctionsUnitTest.php
@@ -0,0 +1,39 @@
+<?php
+/**
+ * Unit test class for WordPressVIPMinimum Coding Standard.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+
+namespace WordPressVIPMinimum\Tests\VIP;
+
+use PHP_CodeSniffer\Tests\Standards\AbstractSniffUnitTest;
+
+/**
+ * Unit test class for the EscapingVoidReturnFunctions sniff.
+ *
+ * @package VIPCS\WordPressVIPMinimum
+ */
+class EscapingVoidReturnFunctionsUnitTest extends AbstractSniffUnitTest {
+
+	/**
+	 * Returns the lines where errors should occur.
+	 *
+	 * @return array <int line number> => <int number of errors>
+	 */
+	public function getErrorList() {
+		return array(
+			3 => 1,
+		);
+	}
+
+	/**
+	 * Returns the lines where warnings should occur.
+	 *
+	 * @return array <int line number> => <int number of warnings>
+	 */
+	public function getWarningList() {
+		return array();
+	}
+
+} // End class.