WordPress-Coding-Standards icon indicating copy to clipboard operation
WordPress-Coding-Standards copied to clipboard

Published 20 hours ago verified publisher icon WordPress

Treat `ceil()`, `floor()`, and `round()` as safe for output

Open johnbillion opened this issue 4 years ago • 1 comments

Is your feature request related to a problem?

When outputting a numeric value as an integer, the absint() and intval() functions are treated as safe for output by WPCS. The same is not true for ceil(), floor(), and round().

Describe the solution you'd like

The ceil(), floor(), and round() functions should be added to the Sniff:$escapingFunctions property.

johnbillion avatar Jan 22 '21 22:01 johnbillion

Would make sense to actually extend it to all functions that return int or float, since that is always safe for output

EDIT: Since the PR https://github.com/WordPress/WordPress-Coding-Standards/pull/2082 got stuck due to missing maintainer feedback after initial review, I closed it. I just added it to my XML now with a couple additional functions.

Here's how I did it, by just grep-ing the native types from psalm:

grep -Poh '(?<=^'\'')\w+(?='\'' => \['\''(?>\??(?>(?>positive-)?int(?><(?>min|-?\d+), ?(?>max|-?\d+)>)?|float|\d+|numeric(?>-string)?|bool|false|true|null)\|)*(?>\??(?>(?>positive-)?int(?><(?>min|-?\d+), ?(?>max|-?\d+)>)?|float|\d+|numeric(?>-string)?)[|'\''])+(?>\??(?>(?>positive-)?int(?><(?>min|-?\d+), ?(?>max|-?\d+)>)?|float|\d+|numeric(?>-string)?|bool|false|true|null)[|'\''])*[,\]])' vendor/vimeo/psalm/dictionaries/CallMap.php | grep -vE '^(echo|v?f?printf?|trigger_error|exit|die|ps_\w+)$' | sed 's/^/<element value="/' | sed 's#$#"/>#'

functions (excluding all methods) that return: int positive-int int<-100, -20> int<min, max> float literal ints like 0|5 numeric numeric-string ?int (nullable of any of the above)

and their union return type may additionally contain any of bool false true null

If you want to get only functions that have at least 1 parameter, change [,\]] at the end to , e.g. in case you want to separate customAutoEscaped and customEscapingFunctions

Additionally all printing and exit functions are excluded

Elements are formatted so you can just copy and paste it to your .xml in customEscapingFunctions (since there's no difference between those and autoescaped functions anyway, see https://github.com/WordPress/WordPress-Coding-Standards/issues/2411)

kkmuffme avatar Nov 29 '21 21:11 kkmuffme