From bec35d6b484180be515ec5fcd78ae716b2b62a7c Mon Sep 17 00:00:00 2001 From: Rebecca Hum <16962021+rebeccahum@users.noreply.github.com> Date: Tue, 23 Feb 2021 12:25:29 -0700 Subject: [PATCH] Add new sniff InlineScriptEscaping --- .../Security/InlineScriptEscapingSniff.php | 83 +++++++++++++++++++ .../Security/InlineScriptEscapingUnitTest.inc | 32 +++++++ .../Security/InlineScriptEscapingUnitTest.php | 43 ++++++++++ 3 files changed, 158 insertions(+) create mode 100644 WordPressVIPMinimum/Sniffs/Security/InlineScriptEscapingSniff.php create mode 100644 WordPressVIPMinimum/Tests/Security/InlineScriptEscapingUnitTest.inc create mode 100644 WordPressVIPMinimum/Tests/Security/InlineScriptEscapingUnitTest.php diff --git a/WordPressVIPMinimum/Sniffs/Security/InlineScriptEscapingSniff.php b/WordPressVIPMinimum/Sniffs/Security/InlineScriptEscapingSniff.php new file mode 100644 index 00000000..2abb8d0e --- /dev/null +++ b/WordPressVIPMinimum/Sniffs/Security/InlineScriptEscapingSniff.php @@ -0,0 +1,83 @@ + T_INLINE_HTML, + 'T_STRING' => T_STRING, + ]; + } + + /** + * Process this test when one of its tokens is encountered + * + * @param int $stackPtr The position of the current token in the stack passed in $tokens. + * + * @return void + */ + public function process_token( $stackPtr ) { + $content = trim( $this->tokens[ $stackPtr ]['content'] ); + + if ( $content === '' ) { + return; + } + + if ( $this->has_open_script_tag( $content ) === true ) { + $this->in_script = true; + } elseif ( strpos( '', $content ) !== false ) { + $this->in_script = false; + } + + if ( $this->in_script === true && $content === 'esc_js' ) { + $message = 'Please do not use `esc_js()` for inline script escaping. See our code repository for + examples on how to escape within: https://github.com/Automattic/vip-code-samples/blob/master/10-security/js-dynamic.php'; + $this->phpcsFile->addError( $message, $stackPtr, 'InlineScriptEsc' ); + return; + } + } + + /** + * Check if a content string contains start ' ) !== false ) { + // Incomplete or has closing tag, bail. + return false; + } + + return strpos( $content, ' + + + + + + + + => + */ + public function getErrorList() { + return [ + 9 => 1, + 14 => 1, + 15 => 1, + ]; + } + + /** + * Returns the lines where warnings should occur. + * + * @return array => + */ + public function getWarningList() { + return []; + } + +}