HTMLExecutingFunctions: Add more functions

There are different ways to insert variables into the DOM, and our sniffs only covered some of them.

The sniff now has an expanded list, which covers functions that have a syntax where the content is in the function arg, and also where the function arg is the target and the content is in the preceding method's arg.

Fixes #435.

Author: GaryJones

WordPressVIPMinimum/Sniffs/JS/HTMLExecutingFunctionsSniff.php

@@ -22,13 +22,26 @@ class HTMLExecutingFunctionsSniff extends Sniff {
 	/**
 	 * List of HTML executing functions.
 	 *
+	 * Name of function => content or target.
+	 * Value indicates whether the function's arg is the content to be inserted, or the target where the inserted
+	 * content is to be inserted before/after/replaced. For the latter, the content is in the preceding method's arg.
+	 *
 	 * @var array
 	 */
 	public $HTMLExecutingFunctions = [
-		'html',
-		'append',
-		'write',
-		'writeln',
+		'after'        => 'content', // jQuery.
+		'append'       => 'content', // jQuery.
+		'appendTo'     => 'target',  // jQuery.
+		'before'       => 'content', // jQuery.
+		'html'         => 'content', // jQuery.
+		'insertAfter'  => 'target',  // jQuery.
+		'insertBefore' => 'target',  // jQuery.
+		'prepend'      => 'content', // jQuery.
+		'prependTo'    => 'target',  // jQuery.
+		'replaceAll'   => 'target',  // jQuery.
+		'replaceWith'  => 'content', // jQuery.
+		'write'        => 'content',
+		'writeln'      => 'content',
 	];
 
 	/**
@@ -58,29 +71,56 @@ public function register() {
 	 */
 	public function process_token( $stackPtr ) {
 
-		if ( false === in_array( $this->tokens[ $stackPtr ]['content'], $this->HTMLExecutingFunctions, true ) ) {
+		if ( ! isset( $this->HTMLExecutingFunctions[ $this->tokens[ $stackPtr ]['content'] ] ) ) {
 			// Looking for specific functions only.
 			return;
 		}
 
-		$nextToken = $this->phpcsFile->findNext( Tokens::$emptyTokens, $stackPtr + 1, null, true, null, true );
+		if ( 'content' === $this->HTMLExecutingFunctions[ $this->tokens[ $stackPtr ]['content'] ] ) {
+			$nextToken = $this->phpcsFile->findNext( Tokens::$emptyTokens, $stackPtr + 1, null, true, null, true );
 
-		if ( T_OPEN_PARENTHESIS !== $this->tokens[ $nextToken ]['code'] ) {
-			// Not a function.
-			return;
-		}
+			if ( T_OPEN_PARENTHESIS !== $this->tokens[ $nextToken ]['code'] ) {
+				// Not a function.
+				return;
+			}
+
+			$parenthesis_closer = $this->tokens[ $nextToken ]['parenthesis_closer'];
 
-		$parenthesis_closer = $this->tokens[ $nextToken ]['parenthesis_closer'];
+			while ( $nextToken < $parenthesis_closer ) {
+				$nextToken = $this->phpcsFile->findNext( Tokens::$emptyTokens, $nextToken + 1, null, true, null, true );
+				if ( T_STRING === $this->tokens[ $nextToken ]['code'] ) { // Contains a variable.
+					$message = 'Any HTML passed to `%s` gets executed. Make sure it\'s properly escaped.';
+					$data    = [ $this->tokens[ $stackPtr ]['content'] ];
+					$this->phpcsFile->addWarning( $message, $stackPtr, $this->tokens[ $stackPtr ]['content'], $data );
 
-		while ( $nextToken < $parenthesis_closer ) {
-			$nextToken = $this->phpcsFile->findNext( Tokens::$emptyTokens, $nextToken + 1, null, true, null, true );
-			if ( T_STRING === $this->tokens[ $nextToken ]['code'] ) {
-				$message = 'Any HTML passed to `%s` gets executed. Make sure it\'s properly escaped.';
-				$data    = [ $this->tokens[ $stackPtr ]['content'] ];
-				$this->phpcsFile->addWarning( $message, $stackPtr, $this->tokens[ $stackPtr ]['content'], $data );
+					return;
+				}
+			}
+		} elseif ( 'target' === $this->HTMLExecutingFunctions[ $this->tokens[ $stackPtr ]['content'] ] ) {
+			$prevToken = $this->phpcsFile->findPrevious( Tokens::$emptyTokens, $stackPtr - 1, null, true, null, true );
 
+			if ( T_OBJECT_OPERATOR !== $this->tokens[ $prevToken ]['code'] ) {
 				return;
 			}
+
+			$prevPrevToken = $this->phpcsFile->findPrevious( Tokens::$emptyTokens, $prevToken - 1, null, true, null, true );
+
+			if ( T_CLOSE_PARENTHESIS !== $this->tokens[ $prevPrevToken ]['code'] ) {
+				return;
+			}
+
+			$parenthesis_opener = $this->tokens[ $prevPrevToken ]['parenthesis_opener'];
+
+			while ( $prevPrevToken > $parenthesis_opener ) {
+				$prevPrevToken = $this->phpcsFile->findPrevious( Tokens::$emptyTokens, $prevPrevToken - 1, null, true, null, true );
+				if ( T_STRING === $this->tokens[ $prevPrevToken ]['code'] ) { // Contains a variable.
+					$message = 'Any HTML used with `%s` gets executed. Make sure it\'s properly escaped.';
+					$data    = [ $this->tokens[ $stackPtr ]['content'] ];
+					$this->phpcsFile->addWarning( $message, $stackPtr, $this->tokens[ $stackPtr ]['content'], $data );
+
+					return;
+				}
+			}
 		}
 	}
 

WordPressVIPMinimum/Tests/JS/HTMLExecutingFunctionsUnitTest.js

@@ -1,13 +1,44 @@
 (function(){
     var el = document.querySelector(".myclass");
-    el.html(''); // OK.
-    el.html('<b>Hand written HTML</b>'); // OK.
-    el.html( '<b>' + variable + '</b>' ); // NOK.
-    el.html( variable ); // NOK.
-    el.append( variable ); // NOK.
+	el.after(''); // OK.
+	el.after('<b>Hand written HTML</b>'); // OK.
+	el.after( '<b>' + variable + '</b>' ); // Warning.
+	el.after( variable ); // Warning.
     el.append( '<b>Hand written HTML</b>' ); // OK.
-    el.append( '<b>' + variable + '</b>' ); // NOK.
+    el.append( '<b>' + variable + '</b>' ); // Warning.
+    el.append( variable ); // Warning.
+	el.before('<b>Hand written HTML</b>'); // OK.
+	el.before( '<b>' + variable + '</b>' ); // Warning.
+	el.before( variable ); // Warning.
+    el.html('<b>Hand written HTML</b>'); // OK.
+    el.html( '<b>' + variable + '</b>' ); // Warning.
+    el.html( variable ); // Warning.
+	el.prepend('<b>Hand written HTML</b>'); // OK.
+	el.prepend( '<b>' + variable + '</b>' ); // Warning.
+	el.prepend( variable ); // Warning.
+	el.replaceWith('<b>Hand written HTML</b>'); // OK.
+	el.replaceWith( '<b>' + variable + '</b>' ); // Warning.
+	el.replaceWith( variable ); // Warning.
     document.write( '<script>console.log("hello")</script>' ); // OK. No variable, conscious.
-    document.write( hello ); // NOK.
-    document.writeln( hey ); // NOK.
-})();
+    document.write( hello ); // Warning.
+    document
+		.	writeln( hey ); // Warning.
+
+	$('').appendTo(el); // OK.
+	$('<b>Hand written HTML</b>').appendTo( el ); // OK.
+	$( '<b>' + variable + '</b>' ).appendTo( el ); // Warning.
+	$( variable ).appendTo( el ); // Warning.
+	$('<b>Hand written HTML</b>').insertAfter( el ); // OK.
+	$( '<b>' + variable + '</b>' ).insertAfter( el ); // Warning.
+	$( variable ).insertAfter( el ); // Warning.
+	$('<b>Hand written HTML</b>').insertBefore( el ); // OK.
+	$( '<b>' + variable + '</b>' ).insertBefore( el ); // Warning.
+	$( variable ).insertBefore( el ); // Warning.
+	$('<b>Hand written HTML</b>').prependTo( el ); // OK.
+	$( '<b>' + variable + '</b>' ).prependTo( el ); // Warning.
+	$( variable ).prependTo( el ); // Warning.
+	$('<b>Hand written HTML</b>').replaceAll( el ); // OK.
+	$( '<b>' + variable + '</b>' ).replaceAll( el ); // Warning.
+	$( variable )
+		.		replaceAll( el ); // Warning.
+})();

WordPressVIPMinimum/Tests/JS/HTMLExecutingFunctionsUnitTest.php

@@ -34,10 +34,28 @@ public function getWarningList() {
 		return [
 			5  => 1,
 			6  => 1,
-			7  => 1,
+			8  => 1,
 			9  => 1,
 			11 => 1,
 			12 => 1,
+			14 => 1,
+			15 => 1,
+			17 => 1,
+			18 => 1,
+			20 => 1,
+			21 => 1,
+			23 => 1,
+			25 => 1,
+			29 => 1,
+			30 => 1,
+			32 => 1,
+			33 => 1,
+			35 => 1,
+			36 => 1,
+			38 => 1,
+			39 => 1,
+			41 => 1,
+			43 => 1,
 		];
 	}