WordPress-Coding-Standards icon indicating copy to clipboard operation
WordPress-Coding-Standards copied to clipboard
verified publisher icon WordPress

XSS: Differentiate between functions and variables.

Open grappler opened this issue 9 years ago • 3 comments

Split off from #744

With the following example we can be 100% sure that it is a correct error because it is a know WordPress function. Expected next thing to be an escaping function (see Codex for 'Data Validation'), not 'home_url' (WordPress.XSS.EscapeOutput.OutputNotEscaped)

Another example would be the i18n functions. In WordPress core they are not being escaped. If we wanted to run WPCS on WordPress we would need to disable this sniff. Expected next thing to be an escaping function (see Codex for 'Data Validation'), not '__' (WordPress.XSS.EscapeOutput.OutputNotEscaped)

This would be useful for the Theme Review Team. At the moment we have changed the notice from Error to Warning because there are too many false positives. There are a few results that we can completely trust and it would help to make those an error.

grappler avatar Dec 26 '16 15:12 grappler

Just because a function is in WP core, doesn't mean it is safe to use unescaped.

GaryJones avatar Dec 26 '16 21:12 GaryJones

Sorry, you misunderstood. If the function is in WordPress then we know if it needs to be escaped or not. So we know for sure that home_url() needs to be escaped but we do not have the same certainty for variable $foo because that could be anything.

grappler avatar Dec 26 '16 21:12 grappler

Adding differentiation based on what was found to the error codes now would be a breaking change and I'm not sure how much value it would add. Marking this as a candidate for closing.

jrfnl avatar Dec 02 '22 16:12 jrfnl