diff --git a/WordPressVIPMinimum/Sniffs/Security/InlineScriptEscapingSniff.php b/WordPressVIPMinimum/Sniffs/Security/InlineScriptEscapingSniff.php new file mode 100644 index 00000000..116bc55c --- /dev/null +++ b/WordPressVIPMinimum/Sniffs/Security/InlineScriptEscapingSniff.php @@ -0,0 +1,83 @@ + T_INLINE_HTML, + 'T_STRING' => T_STRING, + ]; + } + + /** + * Process this test when one of its tokens is encountered + * + * @param int $stackPtr The position of the current token in the stack passed in $tokens. + * + * @return void + */ + public function process_token( $stackPtr ) { + $content = trim( $this->tokens[ $stackPtr ]['content'] ); + + if ( $content === '' ) { + return; + } + + if ( $this->has_open_script_tag( $content ) === true ) { + $this->in_script = true; + } elseif ( strpos( '', $content ) !== false ) { + $this->in_script = false; + } + + if ( $this->in_script === true && $content === 'esc_js' ) { + $message = 'Please do not use `esc_js()` for inline script escaping. See our code repository for + examples on how to escape within: https://github.com/Automattic/vip-code-samples/blob/master/10-security/js-dynamic.php'; + $this->phpcsFile->addError( $message, $stackPtr, 'InlineScriptEsc' ); + return; + } + } + + /** + * Check if a content string contains start ' ) !== false ) { + // Incomplete or has closing tag, bail. + return false; + } + + return strpos( $content, ' + + + + + + + + => + */ + public function getErrorList() { + return [ + 9 => 1, + 14 => 1, + 15 => 1, + ]; + } + + /** + * Returns the lines where warnings should occur. + * + * @return array => + */ + public function getWarningList() { + return []; + } + +}