Skip to content

Commit 99f7959

Browse files
rebeccahumrebeccahum
authored
Merge pull request #575 from Automattic/fix/incorrect-message-for-proper-escaping-function
ProperEscaping: Fix message for action attribute
2 parents 06ededf + 6d0a6f1 commit 99f7959

File tree

3 files changed

+17
-12
lines changed

3 files changed

+17
-12
lines changed

WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -82,8 +82,8 @@ public function process_token( $stackPtr ) {
8282

8383
$data = [ $function_name ];
8484

85-
if ( $function_name !== 'esc_url' && $this->is_href_or_src( $this->tokens[ $html ]['content'] ) ) {
86-
$message = 'Wrong escaping function. href and src attributes should be escaped by `esc_url()`, not by `%s()`.';
85+
if ( $function_name !== 'esc_url' && $this->attr_expects_url( $this->tokens[ $html ]['content'] ) ) {
86+
$message = 'Wrong escaping function. href, src, and action attributes should be escaped by `esc_url()`, not by `%s()`.';
8787
$this->phpcsFile->addError( $message, $stackPtr, 'hrefSrcEscUrl', $data );
8888
return;
8989
}
@@ -95,32 +95,32 @@ public function process_token( $stackPtr ) {
9595
}
9696

9797
/**
98-
* Tests whether provided string ends with open src or href attribute.
98+
* Tests whether provided string ends with open attribute which expects a URL value.
9999
*
100-
* @param string $content Haystack in which we look for an open src or href attribute.
100+
* @param string $content Haystack in which we look for an open attribute which exects a URL value.
101101
*
102-
* @return bool True if string ends with open src or href attribute.
102+
* @return bool True if string ends with open attribute which exects a URL value.
103103
*/
104-
public function is_href_or_src( $content ) {
105-
$is_href_or_src = false;
106-
foreach ( [ 'href', 'src', 'url' ] as $attr ) {
104+
public function attr_expects_url( $content ) {
105+
$attr_expects_url = false;
106+
foreach ( [ 'href', 'src', 'url', 'action' ] as $attr ) {
107107
foreach ( [
108108
'="',
109109
"='",
110110
'=\'"', // The tokenizer does some fun stuff when it comes to mixing double and single quotes.
111111
'="\'', // The tokenizer does some fun stuff when it comes to mixing double and single quotes.
112112
] as $ending ) {
113113
if ( $this->endswith( $content, $attr . $ending ) === true ) {
114-
$is_href_or_src = true;
114+
$attr_expects_url = true;
115115
break;
116116
}
117117
}
118118
}
119-
return $is_href_or_src;
119+
return $attr_expects_url;
120120
}
121121

122122
/**
123-
* Tests, whether provided string ends with open HMTL attribute.
123+
* Tests whether provided string ends with open HMTL attribute.
124124
*
125125
* @param string $content Haystack in which we look for open HTML attribute.
126126
*

WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,4 +34,8 @@ echo '<media:content url="' . esc_attr( $post_image ) . '" medium="image">'; //
3434

3535
echo 'data-param-url="' . esc_url( $share_url ) . '"'; // OK.
3636

37-
echo 'data-param-url="' . esc_html( $share_url ) . '"'; // NOK.
37+
echo 'data-param-url="' . esc_html( $share_url ) . '"'; // NOK.
38+
39+
?>
40+
41+
<form method="post" action="<?php echo esc_html(admin_url('admin.php?page='.$base_name.'&amp;mode=logs&amp;id='.$poll_id)); ?>">

WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ public function getErrorList() {
3333
23 => 1,
3434
33 => 1,
3535
37 => 1,
36+
41 => 1,
3637
];
3738
}
3839

0 commit comments

Comments
 (0)