filter_input() doesn't mean variable is sanitized

[allan23]

filter_input() is listed as an escaping function. However if the third parameter isn't set, then no sanitization takes place.

Example:
URL: http://test.dev/?test=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

echo filter_input( INPUT_GET, 'test' );

vs.

echo filter_input( INPUT_GET, 'test', FILTER_SANITIZE_STRING );

Should detection of filter_input require manual inspection or is it possible to check if the third parameter is set?

[JDGrimes]

It would be possible to detect whether the third parameter was supplied, if anyone would like to work up a patch.

[JDGrimes]

A side note: I think that probably the filter_input() function should be flagged by the WordPress.VIP.SuperGlobalInputUsage sniff.

[jrfnl]

I think we need a separate sniff to check for correct usage of the filter_...() functions. This does not have to be combined with an existing sniff.