Review the WordPressVIPMinimum.Security.PHPFilterFunctions sniff

[jrfnl]

Review the WordPressVIPMinimum.Security.PHPFilterFunctions sniff for the following in as far as relevant to that sniff:

• Code style independent sniffing / Correct handling of quirky code
  Typical things to add tests for and verify correct handling of:
  • Nested function/closure declarations
  • Nested class declarations
  • Comments in unexpected places
  • Variables being assigned to via list statements
  • Multiline text strings
  • Text strings provided via heredoc/nowdoc
  • Use of short open tags
  • Using PHP close tag as end of statement
  • Inline control structures (without braces)
• Code simplifications which can be made using PHPCSUtils
• Sniff stability improvements which can be made using PHPCSUtils
• Correct handling of modern PHP code
  Typical things to add tests for and verify correct handling of (where applicable):
  • PHP 5.0 Try/catch/finally (PHP 5.5) and exceptions
  • PHP 5.3 Namespaced code vs code in the global namespace
  • PHP 5.3 Use import statements, incl aliasing
  • PHP 5.3 Short ternaries
  • PHP 5.3 Closures, incl closure use
  • PHP 5.4 Short arrays
  • PHP 5.5 Class name resolution using ::class
  • PHP 5.5 List in foreach
  • PHP 5.5/7.0 Generators using yield and yield from
  • PHP 5.6 Constant scalar expressions
  • PHP 5.6 Importing via use function/const
  • PHP 7.0 Null coalesce
  • PHP 7.0 Anonymous classes
  • PHP 7.0 Scalar and return type declarations
  • PHP 7.0 Group use statements
  • PHP 7.1 Short lists
  • PHP 7.1 Keyed lists
  • PHP 7.1 Multi-catch
  • PHP 7.1 Nullable types
  • PHP 7.3 List reference assignments
  • PHP 7.4 arrow functions
  • PHP 7.4 numeric literals with underscores
  • PHP 7.4 null coalesce equals
  • PHP 7.4 Typed properties
  • Various versions: trailing comma's in function calls, group use, function declarations, closure use etc

Other:

• Review violation error vs warning
• Review violation severity
• Review violation message, consider adding a link
• Check open issues related to the sniff
• Review PHPDoc comments

Sniff basics, but changes need to be lined up for next major release:

• Inappropriate use of public properties (Audit Public Sniff Properties #234)
• Modular error codes (unique error code for each distinct message)

Once PHPCS/PHPCSUtils supports this:

• PHP 8.0 Constructor property promotion
• PHP 8.0 Union types
• PHP 8.0 match expressions
• PHP 8.0 Nullsafe operator
• PHP 8.0 Named arguments
• PHP 8.0 Single token namespaced names

[jrfnl]

FYI: I've been working on a comprehensive sniff regarding the Filter extension as there are quite some gotcha's when working with it.

This new sniff addresses the issues the PHPFilterFunctions sniff looks for, as well as other things, partially based on a deep dive by me into the filter extension and partially based on other issues related to the extension which I've seen in the WPCS and YoastCS repos.

Some examples:

• Warn about the filter_input*() functions acting on the original input received from the browser, not the current value.
• Warn about certain INPUT_* constants not always being available.
• Warn when the FILTER_* constants aren't used (like when integers are used instead).
• etc

The sniff needs a release of PHPCSUtils (alpha 4) before I can pull it. I intend to pull the sniff to PHPCSExtra as it is a CMS agnostic sniff which is generically useful and usable for any PHP project.

Once the sniff has been merged, I will recommend for the sniff to be added to the WordPress-Extra ruleset.

As for VIPCS, I'd suggest replacing the current sniff with the sniff from PHPCSExtra. If needs be, the additional checks in the sniff can be silenced. Then again, you may like what you see ;-)