Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Short array tokens not handled in EscapeOutputSniff #1370

Closed
sybrew opened this issue Jun 9, 2018 · 1 comment
Closed

Short array tokens not handled in EscapeOutputSniff #1370

sybrew opened this issue Jun 9, 2018 · 1 comment

Comments

@sybrew
Copy link

sybrew commented Jun 9, 2018

Example code:

$hello = 'hello';
$world = 'world';
vprintf(
	'<em>%s</em><strong>%s</strong>',
	[
		esc_html( $hello ),
		esc_html( $world ),
	]
);

Notification example:

All output should be run through an escaping function (see the 
Security sections in the WordPress Developer Handbooks), found '['.

(WordPress.XSS.EscapeOutput.OutputNotEscaped)

Locally, I added this (temporarily) check to circumvent the notification in the for-loop at WordPress\Sniffs\XSS\EscapeOutputSniff::process_token() -- right beneath the T_ARRAY check; copying its behavior, which works as intended:

if ( in_array( $this->tokens[ $i ]['code'], [ T_OPEN_SHORT_ARRAY, T_CLOSE_SHORT_ARRAY ], true ) ) {
	$i++; // Skip the opening parenthesis.
	continue;
}

PHPCS registers the two shorthand constants in ..\util\Tokens.php

@jrfnl
Copy link
Member

jrfnl commented Jun 9, 2018

@sybrew Thanks for reporting this. This has already been fixed in the develop branch via #1333. The fix will be included in the WPCS 1.0.0 release.

Closing as duplicate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants