From d95445ea0456177e678fd5e193efada35602537b Mon Sep 17 00:00:00 2001
From: Rohit Vasudevamurthy <rvasudevamurthy@ipaglobal.com>
Date: Tue, 26 Aug 2025 16:49:15 -0400
Subject: [PATCH 1/3] Add documentation for
 WordPress.Security.ValidatedSanitizedInput

---
 .../ValidatedSanitizedInputStandard.xml       | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 WordPress/Docs/Security/ValidatedSanitizedInputStandard.xml

diff --git a/WordPress/Docs/Security/ValidatedSanitizedInputStandard.xml b/WordPress/Docs/Security/ValidatedSanitizedInputStandard.xml
new file mode 100644
index 0000000000..15adcacfa7
--- /dev/null
+++ b/WordPress/Docs/Security/ValidatedSanitizedInputStandard.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0"?>
+<documentation xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://phpcsstandards.github.io/PHPCSDevTools/phpcsdocs.xsd"
+    title="Validated Sanitized Input"
+    >
+    <standard>
+    <![CDATA[
+    All user input data ($_POST, $_GET, $_REQUEST, $_SERVER, $_COOKIE, $_FILES, $_SESSION, $_ENV) must be validated, unslashed, and sanitized before use to prevent security vulnerabilities like XSS, SQL injection, and code injection attacks.
+
+    Validation ensures the input key exists (using isset(), empty(), or array_key_exists()). Unslashing removes WordPress's automatic backslashes using wp_unslash() or similar functions. Sanitization cleans the data using appropriate functions like sanitize_text_field(), absint(), etc.
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Input is validated, unslashed and sanitized.">
+        <![CDATA[
+if ( <em>isset( $_POST['name'] )</em> ) {
+    $name = <em>sanitize_text_field( 
+        wp_unslash( $_POST['name'] ) 
+    )</em>;
+}
+        ]]>
+        </code>
+        <code title="Invalid: Input used without validation.">
+        <![CDATA[
+$name = <em>sanitize_text_field( 
+    wp_unslash( $_POST['name'] ) 
+)</em>;
+        ]]>
+        </code>
+    </code_comparison>
+    <code_comparison>
+        <code title="Valid: Numeric input properly cast.">
+        <![CDATA[
+if ( isset( $_GET['id'] ) ) {
+    $id = <em>(int) $_GET['id']</em>;
+}
+        ]]>
+        </code>
+        <code title="Invalid: Missing unslashing before sanitization.">
+        <![CDATA[
+if ( isset( $_POST['text'] ) ) {
+    $text = <em>sanitize_text_field( $_POST['text'] )</em>;
+}
+        ]]>
+        </code>
+    </code_comparison>
+    <code_comparison>
+        <code title="Valid: Array input properly handled.">
+        <![CDATA[
+$clean = <em>array_map( 
+    'sanitize_text_field', 
+    wp_unslash( $_GET['items'] ) 
+)</em>;
+        ]]>
+        </code>
+        <code title="Invalid: Input used without sanitization.">
+        <![CDATA[
+if ( isset( $_POST['data'] ) ) {
+    echo <em>wp_unslash( $_POST['data'] )</em>;
+}
+        ]]>
+        </code>
+    </code_comparison>
+</documentation>
\ No newline at end of file

From 0d6e34cff2fcd03799a5ece9e8423c7b2bbcc2de Mon Sep 17 00:00:00 2001
From: rooh-wp311 <rooh.dev311@gmail.com>
Date: Tue, 26 Aug 2025 18:34:01 -0400
Subject: [PATCH 2/3] Improve ValidatedSanitizedInput documentation based on
 reviewer feedback

---
 .../ValidatedSanitizedInputStandard.xml       | 72 +++++++++++++------
 1 file changed, 51 insertions(+), 21 deletions(-)

diff --git a/WordPress/Docs/Security/ValidatedSanitizedInputStandard.xml b/WordPress/Docs/Security/ValidatedSanitizedInputStandard.xml
index 15adcacfa7..6e9ebe635f 100644
--- a/WordPress/Docs/Security/ValidatedSanitizedInputStandard.xml
+++ b/WordPress/Docs/Security/ValidatedSanitizedInputStandard.xml
@@ -7,56 +7,86 @@
     <![CDATA[
     All user input data ($_POST, $_GET, $_REQUEST, $_SERVER, $_COOKIE, $_FILES, $_SESSION, $_ENV) must be validated, unslashed, and sanitized before use to prevent security vulnerabilities like XSS, SQL injection, and code injection attacks.
 
-    Validation ensures the input key exists (using isset(), empty(), or array_key_exists()). Unslashing removes WordPress's automatic backslashes using wp_unslash() or similar functions. Sanitization cleans the data using appropriate functions like sanitize_text_field(), absint(), etc.
+    Validation ensures the input key exists (using isset(), empty(), array_key_exists(), or null coalescing operators). Unslashing removes WordPress's automatic backslashes using wp_unslash() or similar functions. Sanitization cleans the data using appropriate functions like sanitize_text_field(), absint(), etc.
     ]]>
     </standard>
     <code_comparison>
-        <code title="Valid: Input is validated, unslashed and sanitized.">
+        <standard>
         <![CDATA[
-if ( <em>isset( $_POST['name'] )</em> ) {
-    $name = <em>sanitize_text_field( 
-        wp_unslash( $_POST['name'] ) 
-    )</em>;
+        String interpolation with superglobals requires validation and sanitization. Using $_POST, $_GET, etc. directly in strings can lead to XSS attacks if the input contains malicious code.
+        ]]>
+        </standard>
+        <code title="Valid: String interpolation with proper validation and sanitization.">
+        <![CDATA[
+if ( isset( $_POST['name'] ) ) {
+    $safe_name = sanitize_text_field( wp_unslash( $_POST['name'] ) );
+    echo "Hello " . $safe_name;
+}
+        ]]>
+        </code>
+        <code title="Invalid: String interpolation without validation or sanitization.">
+        <![CDATA[
+echo "Hello {$_POST['name']}";
+        ]]>
+        </code>
+    </code_comparison>
+    <code_comparison>
+        <standard>
+        <![CDATA[
+        All superglobal array access must be validated to ensure the key exists before use. This prevents undefined index notices and potential security issues.
+        ]]>
+        </standard>
+        <code title="Valid: Input is validated before use.">
+        <![CDATA[
+if ( isset( $_POST['name'] ) ) {
+    $name = sanitize_text_field( wp_unslash( $_POST['name'] ) );
 }
         ]]>
         </code>
         <code title="Invalid: Input used without validation.">
         <![CDATA[
-$name = <em>sanitize_text_field( 
-    wp_unslash( $_POST['name'] ) 
-)</em>;
+$name = sanitize_text_field( wp_unslash( $_POST['name'] ) );
         ]]>
         </code>
     </code_comparison>
     <code_comparison>
-        <code title="Valid: Numeric input properly cast.">
+        <standard>
+        <![CDATA[
+        All validated input must be sanitized to remove or escape potentially malicious content before processing or output.
+        ]]>
+        </standard>
+        <code title="Valid: Input is validated and sanitized.">
         <![CDATA[
-if ( isset( $_GET['id'] ) ) {
-    $id = <em>(int) $_GET['id']</em>;
+if ( isset( $_POST['text'] ) ) {
+    $text = sanitize_text_field( wp_unslash( $_POST['text'] ) );
 }
         ]]>
         </code>
-        <code title="Invalid: Missing unslashing before sanitization.">
+        <code title="Invalid: Input validated but not sanitized.">
         <![CDATA[
 if ( isset( $_POST['text'] ) ) {
-    $text = <em>sanitize_text_field( $_POST['text'] )</em>;
+    $text = wp_unslash( $_POST['text'] );
 }
         ]]>
         </code>
     </code_comparison>
     <code_comparison>
-        <code title="Valid: Array input properly handled.">
+        <standard>
         <![CDATA[
-$clean = <em>array_map( 
-    'sanitize_text_field', 
-    wp_unslash( $_GET['items'] ) 
-)</em>;
+        WordPress automatically adds backslashes to certain superglobals. These must be removed using wp_unslash() or similar functions before sanitization to prevent double-escaping issues.
+        ]]>
+        </standard>
+        <code title="Valid: Input is unslashed before sanitization.">
+        <![CDATA[
+if ( isset( $_POST['data'] ) ) {
+    $clean = sanitize_text_field( wp_unslash( $_POST['data'] ) );
+}
         ]]>
         </code>
-        <code title="Invalid: Input used without sanitization.">
+        <code title="Invalid: Missing unslashing before sanitization.">
         <![CDATA[
 if ( isset( $_POST['data'] ) ) {
-    echo <em>wp_unslash( $_POST['data'] )</em>;
+    $clean = sanitize_text_field( $_POST['data'] );
 }
         ]]>
         </code>

From c5073df0b151bd229ed8891c95c1c44700721c0a Mon Sep 17 00:00:00 2001
From: rooh-wp311 <rooh.dev311@gmail.com>
Date: Tue, 26 Aug 2025 18:56:04 -0400
Subject: [PATCH 3/3] Fix XML structure: move standard blocks outside
 code_comparison sections

---
 .../ValidatedSanitizedInputStandard.xml       | 40 +++++++++----------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/WordPress/Docs/Security/ValidatedSanitizedInputStandard.xml b/WordPress/Docs/Security/ValidatedSanitizedInputStandard.xml
index 6e9ebe635f..6664121000 100644
--- a/WordPress/Docs/Security/ValidatedSanitizedInputStandard.xml
+++ b/WordPress/Docs/Security/ValidatedSanitizedInputStandard.xml
@@ -10,12 +10,12 @@
     Validation ensures the input key exists (using isset(), empty(), array_key_exists(), or null coalescing operators). Unslashing removes WordPress's automatic backslashes using wp_unslash() or similar functions. Sanitization cleans the data using appropriate functions like sanitize_text_field(), absint(), etc.
     ]]>
     </standard>
+    <standard>
+    <![CDATA[
+    String interpolation with superglobals requires validation and sanitization. Using $_POST, $_GET, etc. directly in strings can lead to XSS attacks if the input contains malicious code.
+    ]]>
+    </standard>
     <code_comparison>
-        <standard>
-        <![CDATA[
-        String interpolation with superglobals requires validation and sanitization. Using $_POST, $_GET, etc. directly in strings can lead to XSS attacks if the input contains malicious code.
-        ]]>
-        </standard>
         <code title="Valid: String interpolation with proper validation and sanitization.">
         <![CDATA[
 if ( isset( $_POST['name'] ) ) {
@@ -30,12 +30,12 @@ echo "Hello {$_POST['name']}";
         ]]>
         </code>
     </code_comparison>
+    <standard>
+    <![CDATA[
+    All superglobal array access must be validated to ensure the key exists before use. This prevents undefined index notices and potential security issues.
+    ]]>
+    </standard>
     <code_comparison>
-        <standard>
-        <![CDATA[
-        All superglobal array access must be validated to ensure the key exists before use. This prevents undefined index notices and potential security issues.
-        ]]>
-        </standard>
         <code title="Valid: Input is validated before use.">
         <![CDATA[
 if ( isset( $_POST['name'] ) ) {
@@ -49,12 +49,12 @@ $name = sanitize_text_field( wp_unslash( $_POST['name'] ) );
         ]]>
         </code>
     </code_comparison>
+    <standard>
+    <![CDATA[
+    All validated input must be sanitized to remove or escape potentially malicious content before processing or output.
+    ]]>
+    </standard>
     <code_comparison>
-        <standard>
-        <![CDATA[
-        All validated input must be sanitized to remove or escape potentially malicious content before processing or output.
-        ]]>
-        </standard>
         <code title="Valid: Input is validated and sanitized.">
         <![CDATA[
 if ( isset( $_POST['text'] ) ) {
@@ -70,12 +70,12 @@ if ( isset( $_POST['text'] ) ) {
         ]]>
         </code>
     </code_comparison>
+    <standard>
+    <![CDATA[
+    WordPress automatically adds backslashes to certain superglobals. These must be removed using wp_unslash() or similar functions before sanitization to prevent double-escaping issues.
+    ]]>
+    </standard>
     <code_comparison>
-        <standard>
-        <![CDATA[
-        WordPress automatically adds backslashes to certain superglobals. These must be removed using wp_unslash() or similar functions before sanitization to prevent double-escaping issues.
-        ]]>
-        </standard>
         <code title="Valid: Input is unslashed before sanitization.">
         <![CDATA[
 if ( isset( $_POST['data'] ) ) {