Skip to content

Commit aa915a4

Browse files
committed
Security/Mustache: prevent false positive on partial text
Includes test.
1 parent efe8ce6 commit aa915a4

2 files changed

Lines changed: 4 additions & 1 deletion

File tree

WordPressVIPMinimum/Sniffs/Security/MustacheSniff.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ public function process_token( $stackPtr ) {
7272
}
7373
}
7474

75-
if ( strpos( $this->tokens[ $stackPtr ]['content'], 'SafeString' ) !== false ) {
75+
if ( strpos( $this->tokens[ $stackPtr ]['content'], '.SafeString' ) !== false ) {
7676
// Handlebars.js Handlebars.SafeString does not get escaped.
7777
$message = 'Found Handlebars.SafeString call which does not get escaped.';
7878
$this->phpcsFile->addWarning( $message, $stackPtr, 'SafeString' );

WordPressVIPMinimum/Tests/Security/MustacheUnitTest.inc

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,3 +47,6 @@ $m = '%>=}} {{=<%'; // Incorrect order, not a delimiter change.
4747

4848
// Correctly recognize mid-line delimiter change.
4949
$m = '{{default_tags}} {{=<% %>=}} <% erb_style_tags %> <%={{ }}=%> {{ default_tags_again }}'; // NOK: delimiter change.
50+
51+
// Prevent false positives on SafeString being a partial name.
52+
echo 'MySafeString';

0 commit comments

Comments
 (0)