Merge pull request #292 from JDGrimes/issue/179

Always consider casting sanitization

WordPress/Sniffs/VIP/ValidatedSanitizedInputSniff.php

@@ -59,17 +59,17 @@ public function process( PHP_CodeSniffer_File $phpcsFile, $stackPtr )
 			return;
 		}
 
-		$is_casted = false;
+		// Search for casting
+		$prev = $phpcsFile->findPrevious( array( T_WHITESPACE ), $stackPtr - 1, null, true, null, true );
+		$is_casted = in_array( $tokens[ $prev ]['code'], array( T_INT_CAST, T_DOUBLE_CAST, T_BOOL_CAST ) );
+
 		if ( isset( $instance['nested_parenthesis'] ) ) {
 			$nested = $instance['nested_parenthesis'];
 			// Ignore if wrapped inside ISSET
 			end( $nested ); // Get closest parenthesis
 			if ( in_array( $tokens[ key( $nested ) - 1 ]['code'], array( T_ISSET, T_EMPTY, T_UNSET ) ) )
 				return;
 		} else {
-			// Search for casting
-			$prev = $phpcsFile->findPrevious( array( T_WHITESPACE ), $stackPtr -1, null, true, null, true );
-			$is_casted = in_array( $tokens[ $prev ]['code'], array( T_INT_CAST, T_DOUBLE_CAST, T_BOOL_CAST ) );
 			if ( ! $is_casted ) {
 				$phpcsFile->addError( 'Detected usage of a non-sanitized input variable: %s', $stackPtr, null, array( $tokens[$stackPtr]['content'] ) );
 				return;
@@ -163,6 +163,8 @@ public function process( PHP_CodeSniffer_File $phpcsFile, $stackPtr )
 				}
 			} elseif ( T_UNSET === $function['code'] ) {
 				$is_sanitized = true;
+			} elseif ( $is_casted ) {
+				$is_sanitized = true;
 			}
 		}
 

WordPress/Tests/VIP/ValidatedSanitizedInputUnitTest.inc

@@ -62,7 +62,8 @@ foreach( $_POST as $key => $value ) {
 
 unset( $_GET['test'] ); // ok
 
-echo (int) $_GET['test'];
+echo (int) $_GET['test']; // ok
+some_func( $some_arg, (int) $_GET['test'] ); // ok
 
 function zebra() {
 	if ( isset( $_GET['foo'], $_POST['bar'] ) ) {