ProperEscapingFunction: Fix short tag detection

The tracking variable `$in_short_echo` was never reset when checking different files, meaning that the property would carry over and provide the wrong context to the next file. By adding a `process()` method to the ProperEscapingFunctionSniff, we can reset the tracking variable at the start of each file by comparing the currently processing file to the last one stored in a static variable. Includes two unit test files, numbered in the order needed to trigger the bug if the fix wasn't present. Fixes #739.
Automattic · Feb 5, 2023 · db63bd8 · db63bd8
1 parent 3c5a8bb
commit db63bd8
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php b/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php
@@ -8,6 +8,7 @@
 
 namespace WordPressVIPMinimum\Sniffs\Security;
 
+use PHP_CodeSniffer\Files\File;
 use WordPressVIPMinimum\Sniffs\Sniff;
 use PHP_CodeSniffer\Util\Tokens;
 
@@ -111,6 +112,28 @@ public function register() {
 		];
 	}
 
+	/**
+	 * Reset short echo context tracking variable for a new file.
+	 *
+	 * @since 2.3.4
+	 *
+	 * @param \PHP_CodeSniffer\Files\File $phpcsFile The file being scanned.
+	 * @param int                         $stackPtr  The position of the current token
+	 *                                               in the stack passed in $tokens.
+	 *
+	 * @return int|void Integer stack pointer to skip forward or void to continue
+	 *                  normal file processing.
+	 */
+	public function process( File $phpcsFile, $stackPtr ) {
+		static $current_file;
+		if ( $phpcsFile !== $current_file ) {
+			$this->in_short_echo = false;
+			$current_file        = $phpcsFile;
+		}
+
+		return parent::process( $phpcsFile, $stackPtr );
+	}
+
 	/**
 	 * Process this test when one of its tokens is encountered
 	 *

diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.2.inc b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.2.inc
@@ -0,0 +1,8 @@
+<?php
+/*
+ * This is part one of a two-part test. It must be in a lower-numbered file
+ * than part two, to trigger the bug in
+ * https://github.com/Automattic/VIP-Coding-Standards/issues/739
+ */
+?>
+<?= esc_attr('short_tag') ?>
diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.3.inc b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.3.inc
@@ -0,0 +1,11 @@
+<?php
+/*
+ * This is part two of a two-part test. It must be in a higher-numbered file
+ * than part one, to trigger the bug in
+ * https://github.com/Automattic/VIP-Coding-Standards/issues/739
+ */
+printf(
+	'<div class="%1$s"><p>%2$s</p></div>',
+	esc_attr($class),
+	wp_kses_post($message)
+);