ValidatedSanitizedInput: allow for validation using key_exists()

This builds onto the previous enhancement made in 1635 which started recognizing `array_key_exists()` as a way to validate a variable.

`key_exists()` is an alias for `array_key_exists()` and while alias functions shouldn't be used,  for the purposes of the ValidatedSanitizedInput sniff, both functions should be recognized.

Includes unit test.

Notes:
* Removes the `array_key_exists()` method from the list of `$sanitizingFunctions` as it doesn't belong there and is now handled differently anyway (this should have been removed in 1635).
* Updates the version numbers for the change in the method documentation. We never released version 2.0.1, so both this change as well as the one from 1635 will now be released in 2.1.0.

Author: jrfnl

WordPress/Sniff.php

@@ -252,7 +252,6 @@ abstract class Sniff implements PHPCS_Sniff {
 	 */
 	protected $sanitizingFunctions = array(
 		'_wp_handle_upload'          => true,
-		'array_key_exists'           => true,
 		'esc_url_raw'                => true,
 		'filter_input'               => true,
 		'filter_var'                 => true,
@@ -1437,8 +1436,8 @@ protected function has_nonce_check( $stackPtr ) {
 	 * Check if a token is inside of an isset(), empty() or array_key_exists() statement.
 	 *
 	 * @since 0.5.0
-	 * @since 2.0.1 Now checks for the token being used as the array parameter
-	 *              in function calls to array_key_exists() as well.
+	 * @since 2.1.0 Now checks for the token being used as the array parameter
+	 *              in function calls to array_key_exists() and key_exists() as well.
 	 *
 	 * @param int $stackPtr The index of the token in the stack.
 	 *
@@ -1465,7 +1464,12 @@ protected function is_in_isset_or_empty( $stackPtr ) {
 			return true;
 		}
 
-		$functionPtr = $this->is_in_function_call( $stackPtr, array( 'array_key_exists' => true ) );
+		$valid_functions = array(
+			'array_key_exists' => true,
+			'key_exists'       => true, // Alias.
+		);
+
+		$functionPtr = $this->is_in_function_call( $stackPtr, $valid_functions );
 		if ( false !== $functionPtr ) {
 			$second_param = $this->get_function_call_parameter( $functionPtr, 2 );
 			if ( $stackPtr >= $second_param['start'] && $stackPtr <= $second_param['end'] ) {
@@ -1845,7 +1849,8 @@ protected function get_array_access_key( $stackPtr ) {
 	}
 
 	/**
-	 * Check if the existence of a variable is validated with isset(), empty() or array_key_exists().
+	 * Check if the existence of a variable is validated with isset(), empty(), array_key_exists()
+	 * or key_exists().
 	 *
 	 * When $in_condition_only is false, (which is the default), this is considered
 	 * valid:
@@ -1868,7 +1873,7 @@ protected function get_array_access_key( $stackPtr ) {
 	 * ```
 	 *
 	 * @since 0.5.0
-	 * @since 2.0.1 Now recognizes array_key_exists() as a validation function.
+	 * @since 2.1.0 Now recognizes array_key_exists() and key_exists() as validation functions.
 	 *
 	 * @param int    $stackPtr          The index of this token in the stack.
 	 * @param string $array_key         An array key to check for ("bar" in $foo['bar']).
@@ -1982,8 +1987,10 @@ protected function is_validated( $stackPtr, $array_key = null, $in_condition_onl
 					break;
 
 				case 'function_call':
-					// Only check calls to array_key_exists().
-					if ( 'array_key_exists' !== $this->tokens[ $i ]['content'] ) {
+					// Only check calls to array_key_exists() and key_exists().
+					if ( 'array_key_exists' !== $this->tokens[ $i ]['content']
+						&& 'key_exists' !== $this->tokens[ $i ]['content']
+					) {
 						continue 2;
 					}
 

WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.inc

@@ -225,3 +225,8 @@ function test_more_safe_functions() {
 	$float = doubleval( $_GET['test'] ); // OK.
 	$count = count( $_GET['test'] ); // Issue #1659; OK.
 }
+
+function test_allow_array_key_exists_alias() {
+	if ( key_exists( 'my_field1', $_POST ) ) {
+	$id = (int) $_POST['my_field1']; // OK.
+}