Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding missing escaping check for <?= #858

Closed
wants to merge 20 commits into from
Closed

Adding missing escaping check for <?= #858

Changes from 1 commit
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
f8241bc
Adding missing escaping check for `<?=`
david-binda Feb 28, 2017
98df766
Add missing PHP closing tag in the XSS/EscapeOutputUnitTest.inc file …
david-binda Mar 1, 2017
a31b188
Replacing PHP comments for HTML ones in XSS/EscapeOutputUnitTest.inc
david-binda Mar 1, 2017
3fcbdc7
Add regext fallback support for collecting some obvious unescaped sho…
david-binda Mar 4, 2017
37dfe31
Adding specific case to the matrix for running the tests on PHP 5.3 w…
david-binda Mar 4, 2017
e7d7477
Adding proper check for deciding on whether short_open_tag is disable…
david-binda Mar 6, 2017
fac73b2
Language improvements in comments per feedback
david-binda Mar 6, 2017
73fd553
Removing debug code
david-binda Mar 6, 2017
415a8b1
Removing the `is_short_open_tag_enabled` method
david-binda Mar 6, 2017
5b6e892
Replace the `phpversion` and `version_compare` function calls by PHP_…
david-binda Mar 6, 2017
ba862f9
Improving the regex used in a fallback in case open_short_tag is disa…
david-binda Mar 6, 2017
382e66f
Addressing styling issues flagged by PHPCS
david-binda Mar 6, 2017
2a912a5
One more PHPCS coding standard violation fix. I must have missed that…
david-binda Mar 6, 2017
dd1b6f0
Using just a single `*` for multiline comments which are not a docblock
david-binda Mar 8, 2017
0698ae1
Fixing typos s/open_short_tag/short_open_tag/ and s/open short tags/s…
david-binda Mar 8, 2017
a361850
Adding @since mark for newly introduced private property `short_open_…
david-binda Mar 8, 2017
b52d30c
Updating regex for catching missed escaping the way it catches also a…
david-binda Mar 8, 2017
fde244e
Fixing typo `it''s` => `it's`
david-binda Mar 8, 2017
c8e48ec
Fix wrong copy pasting of updated regex
david-binda Mar 8, 2017
60d3bf1
Fixing typo in comment /s/outputing/outputting/
david-binda Mar 9, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 14 additions & 16 deletions WordPress/Sniffs/XSS/EscapeOutputSniff.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,12 +105,24 @@ class WordPress_Sniffs_XSS_EscapeOutputSniff extends WordPress_Sniff {
'T_TRAIT_C' => true, // __TRAIT__
);

/**
* Status of short_open_tag feature
*
* @var bool
*/
private $short_open_tag_enabled = true;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a @since tag


/**
* Returns an array of tokens this test wants to listen for.
*
* @return array
*/
public function register() {
// Check whether short_open_tag is disabled on PHP version < 5.4 (it''s enabled by default in later versions).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it''s => it's

if ( true === version_compare(phpversion(), '5.4', '<' ) && false === (bool) ini_get( 'short_open_tag' ) ) {
$this->short_open_tag_enabled = false;
}

$tokens = array(
T_ECHO,
T_PRINT,
Expand All @@ -123,7 +135,7 @@ public function register() {
* In case open_short_tag is turned off, we can attempt to regex T_INLINE_HTML
* which is how open short tags are being handled in that case.
*/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

open_short_tag => short_open_tag
open short tags => short open tags

if ( false === $this->is_short_open_tag_enabled() ) {
if ( false === $this->short_open_tag_enabled ) {
$tokens[] = T_INLINE_HTML;
}
return $tokens;
Expand Down Expand Up @@ -161,7 +173,7 @@ public function process_token( $stackPtr ) {
if ( in_array( $function, array( 'trigger_error', 'user_error' ), true ) ) {
$end_of_statement = $this->phpcsFile->findEndOfStatement( $open_paren + 1 );
}
} else if ( false === $this->is_short_open_tag_enabled() && T_INLINE_HTML === $this->tokens[ $stackPtr ]['code'] ) {
} else if ( false === $this->short_open_tag_enabled && T_INLINE_HTML === $this->tokens[ $stackPtr ]['code'] ) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noticed one last minor thingie: the first part of this if condition is not necessary as T_INLINE_HTML is only registered to this sniff if short_open_tag_enabled is true.

Having said that, that also means that the property can be removed and turned into a local variable within the register() method.

// Skip if no PHP short_open_tag is in the string.
if ( false === strpos( $this->tokens[ $stackPtr ]['content'], '<?=' ) ) {
return;
Expand Down Expand Up @@ -439,18 +451,4 @@ protected function mergeFunctionLists() {
}
}

/**
* Checks whether short_open_tag is enabled.
*
* Since PHP 5.4, <?= is always available.
*
* @return bool False if short_open_tag is not enabled, true otherwise
*/
public function is_short_open_tag_enabled() {
if ( true === version_compare(phpversion(), '5.4', '<' ) && false === (bool) ini_get( 'short_open_tag' ) ) {
return false;
}
return true;
}

} // End class.