diff --git a/WordPress/Helpers/UnslashingFunctionsHelper.php b/WordPress/Helpers/UnslashingFunctionsHelper.php new file mode 100644 index 0000000000..0ff0a2beaa --- /dev/null +++ b/WordPress/Helpers/UnslashingFunctionsHelper.php @@ -0,0 +1,59 @@ + + */ + private static $unslashingFunctions = array( + 'stripslashes_deep' => true, + 'stripslashes_from_strings_only' => true, + 'wp_unslash' => true, + ); + + /** + * Retrieve a list of the unslashing functions. + * + * @since 3.0.0 + * + * @return array + */ + public static function get_unslashing_functions() { + return self::$unslashingFunctions; + } + + /** + * Check if a particular function is regarded as a unslashing function. + * + * @since 3.0.0 + * + * @param string $functionName The name of the function to check. + * + * @return bool + */ + public static function is_unslashing_function( $functionName ) { + return isset( self::$unslashingFunctions[ $functionName ] ); + } +} diff --git a/WordPress/Sniff.php b/WordPress/Sniff.php index c1ba74c385..4c5188a9ce 100644 --- a/WordPress/Sniff.php +++ b/WordPress/Sniff.php @@ -17,6 +17,7 @@ use WordPressCS\WordPress\Helpers\ArrayWalkingFunctionsHelper; use WordPressCS\WordPress\Helpers\ContextHelper; use WordPressCS\WordPress\Helpers\SanitizingFunctionsTrait; +use WordPressCS\WordPress\Helpers\UnslashingFunctionsHelper; use WordPressCS\WordPress\Helpers\VariableHelper; /** @@ -26,35 +27,11 @@ * * @package WPCS\WordPressCodingStandards * @since 0.4.0 - * - * {@internal This class contains numerous properties where the array format looks - * like `'string' => true`, i.e. the array item is set as the array key. - * This allows for sniffs to verify whether something is in one of these - * lists using `isset()` rather than `in_array()` which is a much more - * efficient (faster) check to execute and therefore improves the - * performance of the sniffs. - * The `true` value in those cases is used as a placeholder and has no - * meaning in and of itself. - * In the rare few cases where the array values *do* have meaning, this - * is documented in the property documentation.}} */ abstract class Sniff implements PHPCS_Sniff { use SanitizingFunctionsTrait; - /** - * Functions which unslash the data passed to them. - * - * @since 2.1.0 - * - * @var array - */ - protected $unslashingFunctions = array( - 'stripslashes_deep' => true, - 'stripslashes_from_strings_only' => true, - 'wp_unslash' => true, - ); - /** * A list of superglobals that incorporate user input. * @@ -207,7 +184,7 @@ protected function is_sanitized( $stackPtr, $require_unslash = false ) { $valid_functions = $this->get_sanitizing_functions(); $valid_functions += $this->get_sanitizing_and_unslashing_functions(); - $valid_functions += $this->unslashingFunctions; + $valid_functions += UnslashingFunctionsHelper::get_unslashing_functions(); $valid_functions += ArrayWalkingFunctionsHelper::get_array_walking_functions(); $functionPtr = ContextHelper::is_in_function_call( $this->phpcsFile, $stackPtr, $valid_functions ); @@ -224,12 +201,12 @@ protected function is_sanitized( $stackPtr, $require_unslash = false ) { $functionName = $this->tokens[ $functionPtr ]['content']; // Check if an unslashing function is being used. - if ( isset( $this->unslashingFunctions[ $functionName ] ) ) { + if ( UnslashingFunctionsHelper::is_unslashing_function( $functionName ) ) { $is_unslashed = true; // Remove the unslashing functions. - $valid_functions = array_diff_key( $valid_functions, $this->unslashingFunctions ); + $valid_functions = array_diff_key( $valid_functions, UnslashingFunctionsHelper::get_unslashing_functions() ); // Check is any of the remaining (sanitizing) functions is used. $higherFunctionPtr = ContextHelper::is_in_function_call( $this->phpcsFile, $functionPtr, $valid_functions ); diff --git a/WordPress/Sniffs/Security/NonceVerificationSniff.php b/WordPress/Sniffs/Security/NonceVerificationSniff.php index dc511758a7..90b7529ffd 100644 --- a/WordPress/Sniffs/Security/NonceVerificationSniff.php +++ b/WordPress/Sniffs/Security/NonceVerificationSniff.php @@ -13,6 +13,7 @@ use PHPCSUtils\Utils\MessageHelper; use WordPressCS\WordPress\Helpers\ContextHelper; use WordPressCS\WordPress\Helpers\RulesetPropertyHelper; +use WordPressCS\WordPress\Helpers\UnslashingFunctionsHelper; use WordPressCS\WordPress\Helpers\VariableHelper; use WordPressCS\WordPress\Sniff; @@ -184,7 +185,7 @@ private function has_nonce_check( $stackPtr ) { || ContextHelper::is_in_type_test( $this->phpcsFile, $stackPtr ) || VariableHelper::is_comparison( $this->phpcsFile, $stackPtr ) || ContextHelper::is_in_array_comparison( $this->phpcsFile, $stackPtr ) - || ContextHelper::is_in_function_call( $this->phpcsFile, $stackPtr, $this->unslashingFunctions ) !== false + || ContextHelper::is_in_function_call( $this->phpcsFile, $stackPtr, UnslashingFunctionsHelper::get_unslashing_functions() ) !== false || $this->is_only_sanitized( $stackPtr ) ) { $allow_nonce_after = true; diff --git a/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.php b/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.php index 1844d56279..5032fa416b 100644 --- a/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.php +++ b/WordPress/Tests/Security/ValidatedSanitizedInputUnitTest.php @@ -22,6 +22,7 @@ * * @covers \WordPressCS\WordPress\Helpers\ArrayWalkingFunctionsHelper * @covers \WordPressCS\WordPress\Helpers\SanitizingFunctionsTrait + * @covers \WordPressCS\WordPress\Helpers\UnslashingFunctionsHelper * @covers \WordPressCS\WordPress\Helpers\VariableHelper * @covers \WordPressCS\WordPress\Sniffs\Security\ValidatedSanitizedInputSniff */