From 711f3be78c155e1b44a54195ce48b5bdefb141fd Mon Sep 17 00:00:00 2001
From: Rebecca Hum <16962021+rebeccahum@users.noreply.github.com>
Date: Tue, 23 Feb 2021 12:25:29 -0700
Subject: [PATCH] Add new sniff InlineScriptEscaping
---
.../Security/InlineScriptEscapingSniff.php | 83 +++++++++++++++++++
.../Security/InlineScriptEscapingUnitTest.inc | 32 +++++++
.../Security/InlineScriptEscapingUnitTest.php | 43 ++++++++++
3 files changed, 158 insertions(+)
create mode 100644 WordPressVIPMinimum/Sniffs/Security/InlineScriptEscapingSniff.php
create mode 100644 WordPressVIPMinimum/Tests/Security/InlineScriptEscapingUnitTest.inc
create mode 100644 WordPressVIPMinimum/Tests/Security/InlineScriptEscapingUnitTest.php
diff --git a/WordPressVIPMinimum/Sniffs/Security/InlineScriptEscapingSniff.php b/WordPressVIPMinimum/Sniffs/Security/InlineScriptEscapingSniff.php
new file mode 100644
index 00000000..2eea25db
--- /dev/null
+++ b/WordPressVIPMinimum/Sniffs/Security/InlineScriptEscapingSniff.php
@@ -0,0 +1,83 @@
+ T_INLINE_HTML,
+ 'T_STRING' => T_STRING,
+ ];
+ }
+
+ /**
+ * Process this test when one of its tokens is encountered
+ *
+ * @param int $stackPtr The position of the current token in the stack passed in $tokens.
+ *
+ * @return void
+ */
+ public function process_token( $stackPtr ) {
+ $content = trim( $this->tokens[ $stackPtr ]['content'] );
+
+ if ( $content === '' ) {
+ return;
+ }
+
+ if ( $this->has_open_script_tag( $content ) === true ) {
+ $this->in_script = true;
+ } elseif ( strpos( '', $content ) !== false ) {
+ $this->in_script = false;
+ }
+
+ if ( $this->in_script === true && $content === 'esc_js' ) {
+ $message = 'Please do not use `esc_js()` for inline script escaping. See our code repository for
+ examples on how to escape within: https://github.com/Automattic/vip-code-samples/blob/master/10-security/js-dynamic.php';
+ $this->phpcsFile->addError( $message, $stackPtr, 'InlineScriptEsc' );
+ return;
+ }
+ }
+
+ /**
+ * Check if a content string contains start ' ) !== false ) {
+ // Incomplete or has closing tag, bail.
+ return false;
+ }
+
+ return $content !== null && strpos( $content, '
+
+
+
+
+
+
+ =>
+ */
+ public function getErrorList() {
+ return [
+ 9 => 1,
+ 14 => 1,
+ 15 => 1,
+ ];
+ }
+
+ /**
+ * Returns the lines where warnings should occur.
+ *
+ * @return array =>
+ */
+ public function getWarningList() {
+ return [];
+ }
+
+}