VIP-Coding-Standards Consider wpcom_vip_get_resized_remote_image_url() as auto-escaping if fourth argument is truthy

Consider wpcom_vip_get_resized_remote_image_url() as auto-escaping if fourth argument is truthy

Open GaryJones opened this issue 5 years ago • 0 comments

trafficstars

Bug Description

The VIP Go standard uses WordPress.Security.EscapeOutput.OutputNotEscaped but doesn't recognize that the deprecated wpcom_vip_get_resized_remote_image_url() function auto-escapes if it's fourth argument is true (default).

Since it's conditional, we can't just add an entry for it to $customAutoEscapedFunctions in the VIP Go ruleset (see here) as otherwise it wouldn't get flagged if the fourth argument was not truthy.

Minimal Code Snippet

// Should not be flagged.
<img src="<?php echo wpcom_vip_get_resized_remote_image_url($item->image_url, 360,270); ?>" alt="<?php echo esc_attr($item->name) ?>">

// Should be flagged.
<img src="<?php echo wpcom_vip_get_resized_remote_image_url($item->image_url, 360,270, false); ?>" alt="<?php echo esc_attr($item->name) ?>">

Tested Against `master` branch?

[x] I have verified the issue still exists in the master branch of VIPCS.
[x] I have verified the issue still exists in the develop branch of VIPCS.

Feb 26 '20 10:02 GaryJones

VIP-Coding-Standards VIP-Coding-Standards copied to clipboard

Consider wpcom_vip_get_resized_remote_image_url() as auto-escaping if fourth argument is truthy

Bug Description

Minimal Code Snippet

Tested Against master branch?

VIP-Coding-Standards
VIP-Coding-Standards copied to clipboard

Tested Against `master` branch?