PHP 8.4 | Security/EscapeOutput: handle exit/die using named parameters

jrfnl · jrfnl · commit 86b43ecac8ee · 2025-07-25T17:12:15.000+02:00
As of PHP 8.4, the internal of `T_EXIT` are changing in PHP itself and `exit`/`die` will internally be treated as a function call. The net effect of this is that named parameters can now be used with `exit()`/`die()`. For the `WordPress.Security.EscapeOutput` sniff this would lead to false positives as the parameter name would be seen as "not escaped". As of PHPCSUtils 1.1.0, the methods within the `PassedParameters` class will allow for passing a `T_EXIT` token. This, in turn, allows for handling `exit`/`die` with named parameters correctly in the context of the `EscapeOutput` sniff. This commit implements using the `PassedParameters` class for parsing calls to `exit`/`die`, which fixes the issue. Includes tests. Ref: https://wiki.php.net/rfc/exit-as-function
diff --git a/WordPress/Sniffs/Security/EscapeOutputSniff.php b/WordPress/Sniffs/Security/EscapeOutputSniff.php
@@ -200,19 +200,19 @@ public function process_token( $stackPtr ) {
 				return parent::process_token( $stackPtr );
 
 			case \T_EXIT:
-				$next_non_empty = $this->phpcsFile->findNext( Tokens::$emptyTokens, ( $stackPtr + 1 ), null, true );
-				if ( false === $next_non_empty
-					|| \T_OPEN_PARENTHESIS !== $this->tokens[ $next_non_empty ]['code']
-					|| isset( $this->tokens[ $next_non_empty ]['parenthesis_closer'] ) === false
-				) {
-					// Live coding/parse error or an exit/die which doesn't pass a status code. Ignore.
+				$params = PassedParameters::getParameters( $this->phpcsFile, $stackPtr );
+				if ( empty( $params ) ) {
+					// Live coding/parse error or an exit/die which doesn't pass a status. Ignore.
 					return;
 				}
 
-				// $end is not examined, so make sure the parentheses are balanced.
-				$start = $next_non_empty;
-				$end   = ( $this->tokens[ $next_non_empty ]['parenthesis_closer'] + 1 );
-				break;
+				// There should only be one parameter ($status), but just to be on the safe side.
+				foreach ( $params as $param ) {
+					$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ) );
+				}
+
+				// Skip to the end of the last found parameter.
+				return ( $param['end'] + 1 );
 
 			case \T_THROW:
 				// Find the open parentheses, while stepping over the exception creation tokens.
diff --git a/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc b/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc
@@ -655,3 +655,10 @@ echo '<input type="search" value="' . get_search_query( false ) . '">'; // Bad.
 echo '<input type="search" value="' . get_search_query( 0 ) . '">'; // Bad.
 echo '<input type="search" value="' . get_search_query( escape: false ) . '">'; // OK, well not really, typo in param name, but that's not our concern.
 echo '<input type="search" value="' . get_search_query( escaped: false ) . '">'; // Bad.
+
+// PHP 8.4: exit/die using named parameters.
+exit( status: esc_html( $foo ) ); // Ok.
+die( status: esc_html( $foo ) ); // Ok.
+
+exit( status: $foo ); // Bad.
+die( status: $foo ); // Bad.
diff --git a/WordPress/Tests/Security/EscapeOutputUnitTest.php b/WordPress/Tests/Security/EscapeOutputUnitTest.php
@@ -159,6 +159,8 @@ public function getErrorList( $testFile = '' ) {
 					654 => 1,
 					655 => 1,
 					657 => 1,
+					663 => 1,
+					664 => 1,
 				);
 
 			case 'EscapeOutputUnitTest.6.inc':
