Merge pull request #681 from Automattic/fix/680-properescapingfunctions-match-precision

rebeccahum · web-flow · commit b40582cf6dc3 · 2021-04-26T07:05:55.000-06:00
ProperEscapingFunction: further improve attribute matching
diff --git a/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php b/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
@@ -23,7 +23,7 @@ class ProperEscapingFunctionSniff extends Sniff {
 	 *
 	 * @var string
 	 */
-	const ATTR_END_REGEX = '`(?<attrname>href|src|url|(^|\s+)action)?=(?:\\\\)?["\']*$`i';
+	const ATTR_END_REGEX = '`(?<attrname>href|src|url|(^|\s+)action)?(?<=[a-z0-9_-])=(?:\\\\)?["\']*$`i';
 
 	/**
 	 * List of escaping functions which are being tested.
diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc
@@ -106,3 +106,10 @@ echo '<a href="',  esc_html($url), '">'; // Error.
 <div>html</div>
 <?= '<h1 class="', esc_attr( $test ), '">'; ?><!-- OK -->
 <div>html</div>
+
+// Issue #680 - only match = when preceeded by something which could be an HTML attribute.
+<option value="<?php echo esc_attr( $i ); ?>" <?php echo ( $filter_importance === $i ) ? 'selected' : ''; ?> >
+	&gt;=<?php echo esc_html( $i ); ?>
+</option>
+
+<A HREF="<?= esc_url($url) ?>" data-num2=<?= esc_attr( $num2 )><?php echo esc_html( $link ); ?><a/>

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ class ProperEscapingFunctionSniff extends Sniff {`
`23`	`23`	`*`
`24`	`24`	`* @var string`
`25`	`25`	`*/`
`26`		- const ATTR_END_REGEX = '`(?<attrname>href\|src\|url\|(^\|\s+)action)?=(?:\\\\)?["\']*$`i';
	`26`	+ const ATTR_END_REGEX = '`(?<attrname>href\|src\|url\|(^\|\s+)action)?(?<=[a-z0-9_-])=(?:\\\\)?["\']*$`i';
`27`	`27`
`28`	`28`	`/**`
`29`	`29`	`* List of escaping functions which are being tested.`