Skip to content

Commit 771cdf5

Browse files
jrfnljrfnl
committed
ProperEscapingFunction: allow for fully qualified function calls
In namespaced files, it is a good habit to use fully qualified function calls or `use function ...` statements for global functions to prevent PHP from looking for the function in the current namespace. As things were, fully qualified function calls would be ignored by the sniff, leading to false negatives. Tested by adjusting some existing tests.
1 parent 786796d commit 771cdf5

File tree

2 files changed

+7
-6
lines changed

2 files changed

+7
-6
lines changed

WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,7 @@ class ProperEscapingFunctionSniff extends Sniff {
4747
T_OPEN_TAG_WITH_ECHO => T_OPEN_TAG_WITH_ECHO,
4848
T_STRING_CONCAT => T_STRING_CONCAT,
4949
T_COMMA => T_COMMA,
50+
T_NS_SEPARATOR => T_NS_SEPARATOR,
5051
];
5152

5253
/**

WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,19 +2,19 @@
22

33
echo '<a href="' . esc_attr( $some_var ) . '"></a>'; // Error.
44

5-
echo "<a href='" . esc_attr( $some_var ) . "'></a>"; // Error.
5+
echo "<a href='" . \esc_attr( $some_var ) . "'></a>"; // Error.
66

7-
echo '<a href="' . esc_url( $some_var ) . '"></a>'; // OK.
7+
echo '<a href="' . \esc_url( $some_var ) . '"></a>'; // OK.
88

99
echo "<a href='" . esc_url( $some_var ) . "'></a>"; // OK.
1010

1111
echo '<a title="' . esc_attr( $some_var ) . '"></a>'; // OK.
1212

13-
echo "<a title='" . esc_attr( $some_var ) . "'></a>"; // OK.
13+
echo "<a title='" . \esc_attr( $some_var ) . "'></a>"; // OK.
1414

1515
echo '<a title="' . esc_html_x( $some_var ) . '"></a>'; // Error.
1616

17-
echo "<a title='" . esc_html( $some_var ) . "'></a>"; // Error.
17+
echo "<a title='" . \esc_html( $some_var ) . "'></a>"; // Error.
1818

1919
?>
2020

@@ -61,7 +61,7 @@ Test
6161

6262
<h1><?php echo esc_attr__( $title, 'domain' ); ?></h1> <!-- Error --> ?>
6363
<?php echo '<h1>' . esc_attr__( $some_var, 'domain' ) . '</h1>'; // Error.
64-
echo '<h1>', esc_attr_x( $title, 'domain' ), '</h1>'; // Error.
64+
echo '<h1>', \esc_attr_x( $title, 'domain' ), '</h1>'; // Error.
6565
echo "<$tag> " , esc_attr( $test ) , "</$tag>"; // Error.
6666
?>
6767
<h1> <?php echo esc_attr( $title ) . '</h1>'; ?> // Error.
@@ -72,7 +72,7 @@ echo "<$tag> " , esc_attr( $test ) , "</$tag>"; // Error.
7272
echo "<{$tag}>" . esc_attr( $tag_content ) . "</{$tag}>"; // Error.
7373
echo "<$tag" . ' >' . esc_attr( $tag_content ) . "</$tag>"; // Error.
7474
echo '<div class=\'' . esc_html($class) . '\'>'; // Error.
75-
echo "<div class=\"" . esc_html__($class) . '">'; // Error.
75+
echo "<div class=\"" . \esc_html__($class) . '">'; // Error.
7676
echo "<div $someAttribute class=\"" . esc_html($class) . '">'; // Error.
7777
echo '<a href=\'' . esc_html($url) . '\'>'; // Error.
7878
echo "<img src=\"" . esc_html($src) . '"/>'; // Error.

0 commit comments

Comments
 (0)