Security/EscapeOutput: special case get_search_query( false )

jrfnl · jrfnl · commit f165714a8438 · 2023-07-28T03:44:04.000+02:00
As per the reported issue, `get_search_query()` is unsafe when the `$escaped` parameter is set, but not set to `true`.

This commit special cases the function and checks the parameter. If the parameter is passed, but not set to `true`, a custom error message will be thrown.

Includes tests.

Fixes 1354
diff --git a/WordPress/Sniffs/Security/EscapeOutputSniff.php b/WordPress/Sniffs/Security/EscapeOutputSniff.php
@@ -719,6 +719,18 @@ protected function check_code_is_escaped( $start, $end ) {
 					|| $this->is_escaping_function( $functionName )
 					|| $this->is_auto_escaped_function( $functionName )
 				) {
+					// Special case get_search_query() which is unsafe if $escaped = false.
+					if ( 'get_search_query' === strtolower( $functionName ) ) {
+						$escaped_param = PassedParameters::getParameter( $this->phpcsFile, $ptr, 1, 'escaped' );
+						if ( false !== $escaped_param && 'true' !== $escaped_param['clean'] ) {
+							$this->phpcsFile->addError(
+								'Output from get_search_query() is unsafe due to $escaped parameter being set to "false".',
+								$ptr,
+								'UnsafeSearchQuery'
+							);
+						}
+					}
+
 					continue;
 				}
 
diff --git a/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc b/WordPress/Tests/Security/EscapeOutputUnitTest.1.inc
@@ -648,3 +648,10 @@ echo sprintf(
 	( '' !== $this->link_title ) ? ' title="' . esc_attr( $this->link_title ) . '"' : '',
 	( '' !== $this->link_aria_label ) ? ' aria-label="' . $this->link_aria_label . '"' : '',
 ); // Bad x 1.
+
+echo '<input type="search" value="' . get_search_query() . '">'; // OK.
+echo '<input type="search" value="' . get_search_query( /*comment*/ true ) . '">'; // OK.
+echo '<input type="search" value="' . get_search_query( false ) . '">'; // Bad.
+echo '<input type="search" value="' . get_search_query( 0 ) . '">'; // Bad.
+echo '<input type="search" value="' . get_search_query( escape: false ) . '">'; // OK, well not really, typo in param name, but that's not our concern.
+echo '<input type="search" value="' . get_search_query( escaped: false ) . '">'; // Bad.
diff --git a/WordPress/Tests/Security/EscapeOutputUnitTest.php b/WordPress/Tests/Security/EscapeOutputUnitTest.php
@@ -158,6 +158,9 @@ public function getErrorList( $testFile = '' ) {
 					636 => 1,
 					641 => 1,
 					649 => 1,
+					654 => 1,
+					655 => 1,
+					657 => 1,
 				);
 
 			case 'EscapeOutputUnitTest.6.inc':
