Skip to content

ProperEscapingFunction: Flag when esc_attr is being used outside of HTML attributes #624

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Apr 14, 2021
Merged

ProperEscapingFunction: Flag when esc_attr is being used outside of HTML attributes #624

merged 19 commits into from
Apr 14, 2021

Conversation

rebeccahum
Copy link
Contributor

Fixes #155.

Also replaced "NOK" in the test with "Error" since "NOK" is harder to distinguish from "OK".

@rebeccahum rebeccahum requested a review from a team as a code owner February 23, 2021 21:58
jrfnl
jrfnl reviewed Feb 26, 2021
View reviewed changes
Copy link
Collaborator

@jrfnl jrfnl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Rebecca, left some questions again for you to consider.

@jrfnl
Copy link
Collaborator

jrfnl commented Feb 26, 2021

@rebeccahum Shall I continue with the questions based on the new code or shall we talk it through in a call ?

jrfnl
jrfnl reviewed Feb 26, 2021
View reviewed changes
Copy link
Collaborator

@jrfnl jrfnl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Next round of questions for now, we can talk them through in a call next week if you like.

@rebeccahum rebeccahum force-pushed the fix_155 branch 2 times, most recently from 1b9c439 to 910c581 Compare March 1, 2021 20:53
@rebeccahum
Copy link
Contributor Author

Ready for another round, @jrfnl!

jrfnl
jrfnl reviewed Mar 2, 2021
View reviewed changes
Copy link
Collaborator

@jrfnl jrfnl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Rebecca, as discussed in the call: well done! This is looking really good!

Just some nitpicks and minor cleanup left to do, but other than that, ready to merge!

General remark regarding the tests: I'm missing tests with a T_DOUBLE_QUOTED_STRING token before the call to esc_*().

Not for this PR, but for a possible future iteration: using strip_quotes() for all three checks and only when the token is a single/double quoted string.

@rebeccahum
Copy link
Contributor Author

@jrfnl Besides having a hard time kicking the yoda habit, I think this should be good for one more review!

jrfnl
jrfnl previously requested changes Mar 3, 2021
View reviewed changes
Copy link
Collaborator

@jrfnl jrfnl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rebeccahum We're inching closer and closer.

Not for this PR, but for a possible future iteration: using strip_quotes() for all three checks and only when the token is a single/double quoted string.

As you've started to address this remark within this PR now anyway, it, unfortunately, has opened up the road to yet more changes which will be needed to finish that refactor off properly.

Let me know if you want to talk my current remarks through in another call. Or even if you'd want me to add a commit to the PR to address that last part for the attr_expects_url() and the is_html_attr() functions.

WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php Outdated

$echo_or_string_concat = $this->phpcsFile->findPrevious( Tokens::$emptyTokens, $stackPtr - 1, null, true );
// Use $textStringTokens b/c heredoc and nowdoc tokens shouldn't be matched anyways.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Use $textStringTokens b/c heredoc and nowdoc tokens shouldn't be matched anyways.
// Use $textStringTokens b/c heredoc and nowdoc tokens will never be encountered in this context anyways.

@rebeccahum rebeccahum requested a review from jrfnl March 12, 2021 21:27
@rebeccahum
Move attrs and attr endings to static variable level, double escape s…
032742b 
…lash in $attr_endings and add more tests (courtesy of Juliette)
@rebeccahum rebeccahum dismissed jrfnl’s stale review March 16, 2021 18:41

Awaiting new review 😀

jrfnl added 2 commits April 14, 2021 16:40
@jrfnl
ProperEscapingFunction: take all possible functions into account
34e7c56 
While the list of functions being looked for in the `$escaping_functions` property has been expanded, a lot of these were not being tested and when the tests are adjusted for this, it shows that the "using `esc_html` for attributes" check is not correctly applied to all relevant functions.

This is caused by the preliminary check for whether to examine a function for escaping HTML attributes correctly still using a hard-coded reference to `esc_html` instead of using the list from the property.

Fixed now.

Tested by adjusting some existing tests.
@jrfnl
ProperEscapingFunction: move a condition
6596c68 
As the other checks now each have a condition checking the `$escaping_type` in the `process()` method, having that condition in the `is_outside_html_attr_context()` function for the "esc_attr being used outside HTML tags" check makes it inconsistent and raises the cognitive complexity.

It is more intuitive to have a similar "prelim function type" check in the condition in the `process()` method.

This also removes the need to pass the `$function_name` to the `is_outside_html_attr_context()` function.
jrfnl added 6 commits April 14, 2021 16:41
@jrfnl
ProperEscapingFunction: allow for HTML attributes without quotes
5ccd4e8 
While not recommended, HTML attributes for which the value does not contain whitespace, can be passed without the value being quoted.

This adds allowance for that situation.

Includes unit test.
@jrfnl
ProperEscapingFunction: minor documentation touch up
2cb1dbe
@jrfnl
ProperEscapingFunction: function names are case-insensitive
b8f215c 
Function names in PHP are case-insensitive and should be compared against lists in a case-insensitive manner.

As the list is in lowercase, lowercase the input received from the token stream before comparing it against the list.

Tested by adjusting one of the existing unit tests.
@jrfnl
ProperEscapingFunction: only trigger on function calls
080f3c5 
While unlikely, a class or constant could be declared which uses the same name as one of the target functions.
In that case, the sniff should not trigger an error.

This adds a safeguard to verify if something is a function call and bows out if not.

Includes unit test.
@jrfnl
ProperEscapingFunction: allow for fully qualified function calls
9be3a38 
In namespaced files, it is a good habit to use fully qualified function calls or `use function ...` statements for global functions to prevent PHP from looking for the function in the current namespace.

As things were, fully qualified function calls would be ignored by the sniff, leading to false negatives.

Tested by adjusting some existing tests.
@jrfnl
ProperEscapingFunction: make the $escaping_functions property protected
5962dc4 
The `public` `$escaping_functions` property was never _intended_ for allowing it to be changed via a custom ruleset.

As the array _format_ of the property has now changed, adjusted values for this property set in a custom ruleset will no longer work.

This is a breaking change, but as:
1. The property was never intended to be changed from a custom ruleset and
2. The chances of any custom rulesets actually existing which _do_ change this property being very, very small...

I believe it is justified to make the breaking change in the format in a minor release as the format change provides a real functional benefit.

Now, as this breaking change will be made anyway, we may as well do it right and mark the property as `protected` preventing it from ever being changed via a custom ruleset.
jrfnl
jrfnl approved these changes Apr 14, 2021
View reviewed changes
Copy link
Collaborator

@jrfnl jrfnl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving with the addition of the seven extra commits which we discussed in a videocall.
See the commit messages of each of these commits for details.

One final note:
The format of the public property $escaping_functions has changed - from the "function names as values" to "function names as keys with their type as value".

This format change is a breaking change as the sniff will no longer function correctly if the old property format is used in a custom ruleset.

As discussed in our call and documented in the commit message of the last commit:

This is a breaking change, but as:

  1. The property was never intended to be changed from a custom ruleset and
  2. The chances of any custom rulesets actually existing which do change this property being very, very small...

...I believe it is justified to make the breaking change in the format in a minor release as the format change provides a real functional benefit.

With that in mind, the property has now also been made protected.

Deprecating the public property and setting up a complex array merge mechanism with the "new" protected property just in case there is a custom ruleset which does overrule the value seems overkill as the chances of this actually breaking anything in real life are so small.

This breaking change, however, will need a very clear entry in the changelog on the off-chance of a custom ruleset using the property.

/cc @GaryJones

@rebeccahum rebeccahum merged commit 288ad35 into develop Apr 14, 2021
@rebeccahum rebeccahum deleted the fix_155 branch April 14, 2021 17:05
@jrfnl jrfnl added this to the 2.3.0 milestone Apr 14, 2021
@jrfnl jrfnl mentioned this pull request Apr 20, 2021
Merged
@jrfnl jrfnl mentioned this pull request Jul 19, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrfnl jrfnl jrfnl approved these changes

Assignees
No one assigned
Labels
Type: Enhancement
Projects
None yet
Milestone
2.3.0
Development

Successfully merging this pull request may close these issues.

Catch incorrect usage of esc_attr__()
2 participants
@rebeccahum @jrfnl