Escape output sniff fix for static method calls #2370
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Is that true though ? Shouldn't the sniff skip over the method call, but then continue ? Test case: echo My::method($param), $somethingElse; // I'd expect two errors here, one for the method call, one for $somethingElse. |
|
Knew there must be edge cases I missed 😅 I'll work on this some more in the following days, I need to get some sleep 🙈 |
|
@dingo-d Should this PR be moved back to draft for the time being ? |
7 tasks
dingo-d
force-pushed
the
hotifx/escape-output-sniff
branch
from
5f01f59 to
2fd4721
Compare
|
@jrfnl The tests seem to be passing now, only the 2 seem to be stalling (or just taking an unusually long time). |
This was referenced Sep 15, 2023
Need to write a recursive method that will check the fully qualified class names and if they have a static method call in them. We should also be careful not to catch the throw Exception cases, as for those we do want to check the parameters of the static method if they are escaped or not.
Add check for static public properties, enums and constants.
Add a way to identify static methods in the is_escaping_function, used for setting the customEscapingFunctions.
Split the merge function to merge lowercased method/function names, because PHP is case insensitive for all class, namespace and method names.
dingo-d
force-pushed
the
hotifx/escape-output-sniff
branch
from
8f336b7 to
4a48492
Compare
|
Any chance we can move this PR along? |
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As it currently is the following code
Would trigger the EscapeOutput sniff for the class name, but also for any attributes of the class method, except the first one.
The sniff should just trigger the class name, and bow out after that (what is inside the method is of no concern, as the output is all that matters).
I've added a test case and found the part that caused the issue (the
*::classpart didn't take into account static methods, only the*::classcase).This should fix it.
Adresses part of #1176