Security/ValidatedSanitizedInput: make MissingUnslash message more informative

jrfnl · jrfnl · commit f69e5959663b · 2023-08-19T01:42:45.000+02:00
Previously, the error would read `$_POST data not unslashed...`. Now, the error message will show the exact variable with keys we're talking about like `$_POST['key'] not unslashed...`.
diff --git a/WordPress/Sniffs/Security/ValidatedSanitizedInputSniff.php b/WordPress/Sniffs/Security/ValidatedSanitizedInputSniff.php
@@ -230,11 +230,15 @@ public function add_unslash_error( File $phpcsFile, $stackPtr ) {
 			return;
 		}
 
+		// We know there will be array keys as that's checked in the process_token() method.
+		$array_keys = VariableHelper::get_array_access_keys( $phpcsFile, $stackPtr );
+		$error_data = array( $var_name . '[' . implode( '][', $array_keys ) . ']' );
+
 		$phpcsFile->addError(
-			'%s data not unslashed before sanitization. Use wp_unslash() or similar',
+			'%s not unslashed before sanitization. Use wp_unslash() or similar',
 			$stackPtr,
 			'MissingUnslash',
-			array( $var_name )
+			$error_data
 		);
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -230,11 +230,15 @@ public function add_unslash_error( File $phpcsFile, $stackPtr ) {`
`230`	`230`	`return;`
`231`	`231`	`}`
`232`	`232`
	`233`	`+ // We know there will be array keys as that's checked in the process_token() method.`
	`234`	`+ $array_keys = VariableHelper::get_array_access_keys( $phpcsFile, $stackPtr );`
	`235`	`+ $error_data = array( $var_name . '[' . implode( '][', $array_keys ) . ']' );`
	`236`	`+`
`233`	`237`	`$phpcsFile->addError(`
`234`		`- '%s data not unslashed before sanitization. Use wp_unslash() or similar',`
	`238`	`+ '%s not unslashed before sanitization. Use wp_unslash() or similar',`
`235`	`239`	`$stackPtr,`
`236`	`240`	`'MissingUnslash',`
`237`		`- array( $var_name )`
	`241`	`+ $error_data`
`238`	`242`	`);`
`239`	`243`	`}`
`240`	`244`	`}`