From 7b920b48ff9d49342b18ec1b989dbba5dec73ec8 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Tue, 14 Aug 2018 18:56:05 +0200 Subject: [PATCH] NonceVerification: use separate errorcodes for warning vs error While cleaning up a plugin, I noticed that the issue count for the `WordPress.Security.NonceVerification.NoNonceVerification` error code was different if I ran phpcs with the `-n` flag (no warnings). Error codes should be unique. Having the same error code for something which is mandatory (`error`) and recommended (`warning`) is bad practice and does not properly allow for modular disabling of notices. This PR fixes this. As the error code is changing anyhow, I figured it made sense to also remove the duplication of the sniff name from the code. This is a breaking change as ``s for the old errorcode currently in custom rulesets will be invalidated by it, so this PR should go into WPCS 2.0.0. N.B.: The ruleset change is necessary until the deprecated sniffs have been removed. --- WordPress/Sniffs/Security/NonceVerificationSniff.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/WordPress/Sniffs/Security/NonceVerificationSniff.php b/WordPress/Sniffs/Security/NonceVerificationSniff.php index 4909a01f99..d3d6a9d40f 100644 --- a/WordPress/Sniffs/Security/NonceVerificationSniff.php +++ b/WordPress/Sniffs/Security/NonceVerificationSniff.php @@ -155,12 +155,17 @@ public function process_token( $stackPtr ) { return; } + $error_code = 'Missing'; + if ( false === $this->superglobals[ $instance['content'] ] ) { + $error_code = 'Recommended'; + } + // If we're still here, no nonce-verification function was found. $this->addMessage( 'Processing form data without nonce verification.', $stackPtr, $this->superglobals[ $instance['content'] ], - 'NoNonceVerification' + $error_code ); }