Security/Mustache: prevent false positive on partial text

jrfnl · jrfnl · commit 0aebe1fbc697 · 2025-07-17T02:50:24.000+02:00
Includes test.
diff --git a/WordPressVIPMinimum/Sniffs/Security/MustacheSniff.php b/WordPressVIPMinimum/Sniffs/Security/MustacheSniff.php
@@ -71,7 +71,7 @@ public function process_token( $stackPtr ) {
 			}
 		}
 
-		if ( strpos( $this->tokens[ $stackPtr ]['content'], 'SafeString' ) !== false ) {
+		if ( strpos( $this->tokens[ $stackPtr ]['content'], '.SafeString' ) !== false ) {
 			// Handlebars.js Handlebars.SafeString does not get escaped.
 			$message = 'Found Handlebars.SafeString call which does not get escaped.';
 			$this->phpcsFile->addWarning( $message, $stackPtr, 'SafeString' );
diff --git a/WordPressVIPMinimum/Tests/Security/MustacheUnitTest.inc b/WordPressVIPMinimum/Tests/Security/MustacheUnitTest.inc
@@ -49,3 +49,6 @@ $m = '%>=}} {{=<%'; // Incorrect order, not a delimiter change.
 
 // Correctly recognize mid-line delimiter change.
 $m = '{{default_tags}} {{=<% %>=}} <% erb_style_tags %> <%={{ }}=%> {{ default_tags_again }}'; // NOK: delimiter change.
+
+// Prevent false positives on SafeString being a partial name.
+echo 'MySafeString';

Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ public function process_token( $stackPtr ) {`
`71`	`71`	`}`
`72`	`72`	`}`
`73`	`73`
`74`		`- if ( strpos( $this->tokens[ $stackPtr ]['content'], 'SafeString' ) !== false ) {`
	`74`	`+ if ( strpos( $this->tokens[ $stackPtr ]['content'], '.SafeString' ) !== false ) {`
`75`	`75`	`// Handlebars.js Handlebars.SafeString does not get escaped.`
`76`	`76`	`$message = 'Found Handlebars.SafeString call which does not get escaped.';`
`77`	`77`	`$this->phpcsFile->addWarning( $message, $stackPtr, 'SafeString' );`