Merge pull request #2378 from anomiex/add/escapeoutput-error-codes-fo…

…r-error-generation Security/EscapeOutputSniff: More modular error codes
WordPress · Sep 13, 2023 · d0e0fd3 · d0e0fd3
2 parents 81f40bc + f5590ce
commit d0e0fd3
Showing 1 changed file with 13 additions and 11 deletions.
diff --git a/WordPress/Sniffs/Security/EscapeOutputSniff.php b/WordPress/Sniffs/Security/EscapeOutputSniff.php
@@ -263,7 +263,7 @@ public function process_token( $stackPtr ) {
 
 				// Examine each parameter individually.
 				foreach ( $params as $param ) {
-					$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ) );
+					$this->check_code_is_escaped( $param['start'], ( $param['end'] + 1 ), 'ExceptionNotEscaped' );
 				}
 
 				return $end;
@@ -446,12 +446,13 @@ public function process_matched_token( $stackPtr, $group_name, $matched_content
 	 *
 	 * @since 3.0.0 Split off from the process_token() method.
 	 *
-	 * @param int $start The position to start checking from.
-	 * @param int $end   The position to stop the check at.
+	 * @param int    $start The position to start checking from.
+	 * @param int    $end   The position to stop the check at.
+	 * @param string $code  Code to use for the PHPCS error.
 	 *
 	 * @return int Integer stack pointer to skip forward.
 	 */
-	protected function check_code_is_escaped( $start, $end ) {
+	protected function check_code_is_escaped( $start, $end, $code = 'OutputNotEscaped' ) {
 		/*
 		 * Check for a ternary operator.
 		 * We only need to do this here if this statement is lacking parenthesis.
@@ -532,7 +533,7 @@ protected function check_code_is_escaped( $start, $end ) {
 
 			// Handle PHP 8.0+ match expressions.
 			if ( \T_MATCH === $this->tokens[ $i ]['code'] ) {
-				$match_valid = $this->walk_match_expression( $i );
+				$match_valid = $this->walk_match_expression( $i, $code );
 				if ( false === $match_valid ) {
 					// Live coding or parse error. Shouldn't be possible as PHP[CS] will tokenize the keyword as `T_STRING` in that case.
 					break; // @codeCoverageIgnore
@@ -553,7 +554,7 @@ protected function check_code_is_escaped( $start, $end ) {
 				$array_items = PassedParameters::getParameters( $this->phpcsFile, $i, 0, true );
 				if ( ! empty( $array_items ) ) {
 					foreach ( $array_items as $array_item ) {
-						$this->check_code_is_escaped( $array_item['start'], ( $array_item['end'] + 1 ) );
+						$this->check_code_is_escaped( $array_item['start'], ( $array_item['end'] + 1 ), $code );
 					}
 				}
 
@@ -699,7 +700,7 @@ protected function check_code_is_escaped( $start, $end ) {
 						$formatting_params = PassedParameters::getParameters( $this->phpcsFile, $i );
 						if ( ! empty( $formatting_params ) ) {
 							foreach ( $formatting_params as $format_param ) {
-								$this->check_code_is_escaped( $format_param['start'], ( $format_param['end'] + 1 ) );
+								$this->check_code_is_escaped( $format_param['start'], ( $format_param['end'] + 1 ), $code );
 							}
 						}
 
@@ -754,7 +755,7 @@ protected function check_code_is_escaped( $start, $end ) {
 			$this->phpcsFile->addError(
 				"All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '%s'.",
 				$ptr,
-				'OutputNotEscaped',
+				$code,
 				array( $content )
 			);
 		}
@@ -825,11 +826,12 @@ private function find_long_ternary( $start, $end ) {
 	 *
 	 * @since 3.0.0
 	 *
-	 * @param int $stackPtr Pointer to a T_MATCH token.
+	 * @param int    $stackPtr Pointer to a T_MATCH token.
+	 * @param string $code     Code to use for the PHPCS error.
 	 *
 	 * @return int|false Stack pointer to skip to or FALSE if the match expression contained a parse error.
 	 */
-	private function walk_match_expression( $stackPtr ) {
+	private function walk_match_expression( $stackPtr, $code ) {
 		if ( ! isset( $this->tokens[ $stackPtr ]['scope_opener'], $this->tokens[ $stackPtr ]['scope_closer'] ) ) {
 			// Parse error/live coding. Shouldn't be possible as PHP[CS] will tokenize the keyword as `T_STRING` in that case.
 			return false; // @codeCoverageIgnore
@@ -889,7 +891,7 @@ private function walk_match_expression( $stackPtr ) {
 			}
 
 			// Now check that the value returned by this match "leaf" is correctly escaped.
-			$this->check_code_is_escaped( $item_start, $item_end );
+			$this->check_code_is_escaped( $item_start, $item_end, $code );
 
 			// Independently of whether or not the check was succesfull or ran into (parse error) problems,
 			// always skip to the identified end of the item.