diff --git a/.travis.yml b/.travis.yml index 71746a0ca2..5ab50562ba 100644 --- a/.travis.yml +++ b/.travis.yml @@ -37,7 +37,7 @@ matrix: env: PHPCS_BRANCH=2.9 # Test PHP 5.3 with short_open_tags set to On (is Off by default) - php: 5.3 - env: PHPCS_BRANCH=master SHORT_OPEN_TAGS=true + env: PHPCS_BRANCH=2.9 SHORT_OPEN_TAGS=true allow_failures: # Allow failures for unstable builds. - php: nightly @@ -55,6 +55,7 @@ before_install: # test suite is currently not compatible with PHPUnit 6.x. # Fixed at a very specific PHPUnit version which is also compatible with HHVM. - if [[ ${TRAVIS_PHP_VERSION:0:2} != "5." ]]; then wget -P $PHPUNIT_DIR https://phar.phpunit.de/phpunit-5.7.17.phar && chmod +x $PHPUNIT_DIR/phpunit-5.7.17.phar; fi + # Selectively adjust the ini values for the build image to test ini value dependent sniff features. - if [[ "$SHORT_OPEN_TAGS" == "true" ]]; then echo "short_open_tag = On" >> ~/.phpenv/versions/$(phpenv version-name)/etc/php.ini; fi script: diff --git a/WordPress/Sniffs/XSS/EscapeOutputSniff.php b/WordPress/Sniffs/XSS/EscapeOutputSniff.php index c6f7625ce3..70e2693393 100644 --- a/WordPress/Sniffs/XSS/EscapeOutputSniff.php +++ b/WordPress/Sniffs/XSS/EscapeOutputSniff.php @@ -15,9 +15,11 @@ * @package WPCS\WordPressCodingStandards * * @since 2013-06-11 - * @since 0.4.0 This class now extends WordPress_Sniff. - * @since 0.5.0 The various function list properties which used to be contained in this class - * have been moved to the WordPress_Sniff parent class. + * @since 0.4.0 This class now extends WordPress_Sniff. + * @since 0.5.0 The various function list properties which used to be contained in this class + * have been moved to the WordPress_Sniff parent class. + * @since 0.12.0 This sniff will now also check for output escaping when using shorthand + * echo tags ` true, ); - /** - * Status of short_open_tag feature - * - * @since 0.11.0 - * - * @var bool - */ - private $short_open_tag_enabled = true; - /** * Returns an array of tokens this test wants to listen for. * * @return array */ public function register() { - // Check whether short_open_tag is disabled on PHP version < 5.4 (it's enabled by default in later versions). - if ( PHP_VERSION_ID < 50400 && false === (bool) ini_get( 'short_open_tag' ) ) { - $this->short_open_tag_enabled = false; - } $tokens = array( T_ECHO, @@ -173,10 +164,15 @@ public function register() { ); /* - * In case short_open_tag is turned off, we can attempt to regex T_INLINE_HTML - * which is how short open tags are being handled in that case. + * Check whether short open echo tags are disabled and if so, register the + * T_INLINE_HTML token which is how short open tags are being handled in that case. + * + * In PHP < 5.4, support for short open echo tags depended on whether the + * `short_open_tag` ini directive was set to `true`. + * For PHP >= 5.4, the `short_open_tag` no longer affects the short open + * echo tags and these are now always enabled. */ - if ( false === $this->short_open_tag_enabled ) { + if ( PHP_VERSION_ID < 50400 && false === (bool) ini_get( 'short_open_tag' ) ) { $tokens[] = T_INLINE_HTML; } return $tokens; @@ -214,23 +210,23 @@ public function process_token( $stackPtr ) { if ( in_array( $function, array( 'trigger_error', 'user_error' ), true ) ) { $end_of_statement = $this->phpcsFile->findEndOfStatement( $open_paren + 1 ); } - } else if ( false === $this->short_open_tag_enabled && T_INLINE_HTML === $this->tokens[ $stackPtr ]['code'] ) { - // Skip if no PHP short_open_tag is in the string. + } elseif ( T_INLINE_HTML === $this->tokens[ $stackPtr ]['code'] ) { + // Skip if no PHP short_open_tag is found in the string. if ( false === strpos( $this->tokens[ $stackPtr ]['content'], '\S+|\[[^\]]+\]))*)[\s]*;?[\s]*\?\>/', $this->tokens[ $stackPtr ]['content'], $matches ) ) { - $this->phpcsFile->addError( 'Expected next thing to be an escaping function, not %s.', $stackPtr, 'OutputNotEscaped', $matches[1] ); + // Report on what is very likely a PHP short open echo tag outputting a variable. + if ( preg_match( '`\<\?\=[\s]*(\$[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*(?:(?:->\S+|\[[^\]]+\]))*)[\s]*;?[\s]*\?\>`', $this->tokens[ $stackPtr ]['content'], $matches ) > 0 ) { + $this->phpcsFile->addError( + 'Expected next thing to be an escaping function, not %s.', + $stackPtr, + 'OutputNotEscaped', + array( $matches[1] ) + ); return; } - // Throw warning in case the T_INLINE_HTML looks like a open_short_tag. - if ( false !== strpos( $this->tokens[ $stackPtr ]['content'], 'phpcsFile->addWarning( 'Possible use of PHP short open tag ( "unsafePrintingFunctions[ $function ] ) ) { - $error = $this->phpcsFile->addError( "Expected next thing to be an escaping function (like %s), not '%s'", $stackPtr, 'UnsafePrintingFunction', array( $this->unsafePrintingFunctions[ $function ], $function ) ); + $error = $this->phpcsFile->addError( + "Expected next thing to be an escaping function (like %s), not '%s'", + $stackPtr, + 'UnsafePrintingFunction', + array( $this->unsafePrintingFunctions[ $function ], $function ) + ); // If the error was reported, don't bother checking the function's arguments. if ( $error ) { diff --git a/WordPress/Tests/XSS/EscapeOutputUnitTest.php b/WordPress/Tests/XSS/EscapeOutputUnitTest.php index d3c7e5a8b4..41cb3a4b33 100644 --- a/WordPress/Tests/XSS/EscapeOutputUnitTest.php +++ b/WordPress/Tests/XSS/EscapeOutputUnitTest.php @@ -64,9 +64,9 @@ public function getErrorList() { 206 => 1, 207 => 1, 212 => ( PHP_VERSION_ID < 50300 ) ? 1 : 0, // PHPCS on PHP 5.2 does not recognize T_NOWDOC. - 210 => 1, - 212 => 1, - 213 => 1, + 223 => 1, + 225 => 1, + 226 => 1, ); } // end getErrorList() @@ -77,14 +77,8 @@ public function getErrorList() { * @return array => */ public function getWarningList() { - $list = array(); + return array(); - // Adding Warning which is triggerred in case open_short_tag is set to Off. - if ( PHP_VERSION_ID < 50400 && false === (bool) ini_get( 'short_open_tag' ) ) { - $list[211] = 1; - } - - return $list; } } // End class.