Casting to an integer should be considered input sanitization #179
Labels
Comments
|
It looks like #205 fixed this when the case is similar to my original example: $var = (int) $_GET['some_var'];However, the cast is ignored when the value is in a function call: $var = some_func( $some_arg, (int) $_GET['some_var'] );In a case like this I get the non-sanitized input var error. |
JDGrimes
added a commit
to JDGrimes/WordPress-Coding-Standards
that referenced
this issue
Dec 24, 2014
There are two different sanitization checks in this sniff. Only one of them was considering that casting is a form of input sanitization. I’ve moved the casting check out of the conditional it was in, and now the `$is_casted` value is being checked for all sanitization checking paths. Includes unit tests. Fixes WordPress#179
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I think this is true in the XSS sniff, but not in
WordPress.VIP.ValidatedSanitizedInput.For example:
This will be flagged, but it shouldn't be.
The text was updated successfully, but these errors were encountered: