Security/Mustache: prevent false positives on block editor templates

As reported in 541#issuecomment-1692323177. This commit fixes the issue + adds a test to safeguard the fix.
Automattic · Aug 26, 2023 · 22e31f7 · 22e31f7
1 parent 92a8c82
commit 22e31f7
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/WordPressVIPMinimum/Sniffs/Security/MustacheSniff.php b/WordPressVIPMinimum/Sniffs/Security/MustacheSniff.php
@@ -45,7 +45,7 @@ public function register() {
 	 */
 	public function process_token( $stackPtr ) {
 
-		if ( strpos( $this->tokens[ $stackPtr ]['content'], '{{{' ) !== false || strpos( $this->tokens[ $stackPtr ]['content'], '}}}' ) !== false ) {
+		if ( strpos( $this->tokens[ $stackPtr ]['content'], '{{{' ) !== false && strpos( $this->tokens[ $stackPtr ]['content'], '}}}' ) !== false ) {
 			// Mustache unescaped output notation.
 			$message = 'Found Mustache unescaped output notation: "{{{}}}".';
 			$this->phpcsFile->addWarning( $message, $stackPtr, 'OutputNotation' );

diff --git a/WordPressVIPMinimum/Tests/Security/MustacheUnitTest.inc b/WordPressVIPMinimum/Tests/Security/MustacheUnitTest.inc
@@ -17,4 +17,7 @@ echo '<a href="{{href}}">{{&data}}</div></a>'; // NOK: data.
 
 		return new Handlebars.SafeString(result); // NOK: SafeString.
 	});
-</script>
+</script>
+
+// Issue 541#issuecomment-1692323177: don't flag GB syntax.
+<div class="wp-block-group"><!-- wp:heading {"textAlign":"center","style":{"spacing":{"margin":{"top":"0","right":"0","bottom":"var:preset|spacing|medium","left":"0"}}}} --><!-- OK. -->