Skip to content

ProperEscapingFunction: account for T_OPEN_TAG_WITH_ECHO #671

New issue
New issue
Closed
#675
Closed
ProperEscapingFunction: account for T_OPEN_TAG_WITH_ECHO#671
#675
Labels
Status: Has PRType: Bug
Milestone
2.3.1
@rebeccahum

Description

@rebeccahum
rebeccahum
opened on Apr 21, 2021

Bug Description

Introduced in #668, we should also account for T_OPEN_TAG_WITH_ECHO:

<?= '<h2>' , esc_attr( $test ) , '</h2>'; // Warning.

However, it's not as simple as just adding it in an OR statement to:

VIP-Coding-Standards/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php

Line 111 in 7decb5b

if ( $this->tokens[ $start_of_statement ]['code'] === T_ECHO ) {

This is because findStartOfStatement() will not recognize <?= as the start of the statement if there is inline HTML before it, e.g.

<h1>TEST</h1> <?= '<h2>' , esc_attr( $test ) , '</h2>'; // Warning.

However, using just the below will return the expected $start_of_statement:

<?= '<h2>' , esc_attr( $test ) , '</h2>'; // Warning.

Error Code

WordPressVIPMinimum.Security.ProperEscapingFunction.notAttrEscAttr

Metadata

Metadata

Assignees

No one assigned

    Labels

    Status: Has PRType: Bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions