XSS.EscapeOutput sniff: Fix issue #933 - namespace separators.

This simple change means that namespace separators will be be ignored completely by the check for output escaping which fixes the immediate issue. For a more thorough fix, the logic of the function would need to be refactored to take namespaced functions into account as well, but that's for another day.
WordPress · Aug 7, 2017 · c1d43bf · c1d43bf
1 parent 4a97ddd
commit c1d43bf
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/WordPress/Sniffs/XSS/EscapeOutputSniff.php b/WordPress/Sniffs/XSS/EscapeOutputSniff.php
@@ -291,6 +291,11 @@ public function process_token( $stackPtr ) {
 				continue;
 			}
 
+			// Ignore namespace separators.
+			if ( T_NS_SEPARATOR === $this->tokens[ $i ]['code'] ) {
+				continue;
+			}
+
 			if ( T_OPEN_PARENTHESIS === $this->tokens[ $i ]['code'] ) {
 
 				if ( ! isset( $this->tokens[ $i ]['parenthesis_closer'] ) ) {

diff --git a/WordPress/Tests/XSS/EscapeOutputUnitTest.inc b/WordPress/Tests/XSS/EscapeOutputUnitTest.inc
@@ -225,3 +225,15 @@ echo 8 * 1.2; // Ok.
 <?= $var['foo']; ?><!-- Bad. -->
 <?= $var->foo ?><!-- Bad. -->
 <?php
+
+// Issue #933. OK.
+function do_footer_nav() {
+	echo \wp_kses_post(
+		\genesis_get_nav_menu(
+			[
+				'menu_class'     => 'menu genesis-nav-menu menu-footer',
+				'theme_location' => 'footer',
+			]
+		)
+	);
+}