magento-coding-standard icon indicating copy to clipboard operation
magento-coding-standard copied to clipboard

Published 20 hours ago verified publisher icon magento

Add semicolon as statement separator in the special annotation check of the `Magento2.Security.XssTemplate` sniff

Open aadmathijssen opened this issue 2 years ago • 0 comments

This PR improves special annotation detection of the Magento2.Security.XssTemplate sniff by adding T_SEMICOLON as a statement separator. This resolves the issue that violations in a statement might be ignored by a special annotation in a previous/subsequent statement.

For example, consider the following file:

<?php
    /* @noEscape */ echo $foo;
    echo $bar;
?>
<?=
    $baz;
    /* @noEscape */ echo $qux;
?>

This does not reported any violations of the Magento2.Security.XssTemplate sniff.

However, the statements involving $bar and $baz should report a FoundUnescaped violation.

This PR makes sure this is done, such that the following is reported:

FILE: /path/to/file.phtml
-----------------------------------------------------------------------------------------
FOUND 0 ERRORS AND 2 WARNINGS AFFECTING 2 LINES
-----------------------------------------------------------------------------------------
 3 | WARNING | Unescaped output detected.
   |         | (Magento2.Security.XssTemplate.FoundUnescaped)
 6 | WARNING | Unescaped output detected.
   |         | (Magento2.Security.XssTemplate.FoundUnescaped)
-----------------------------------------------------------------------------------------

aadmathijssen avatar Mar 04 '22 19:03 aadmathijssen