Merge pull request #841 from Automattic/feature/security-twig-sniff-improvements

Author: GaryJones

WordPressVIPMinimum/Sniffs/Security/TwigSniff.php

@@ -8,6 +8,8 @@
 
 namespace WordPressVIPMinimum\Sniffs\Security;
 
+use PHP_CodeSniffer\Util\Tokens;
+use PHPCSUtils\Utils\TextStrings;
 use WordPressVIPMinimum\Sniffs\Sniff;
 
 /**
@@ -28,11 +30,7 @@ class TwigSniff extends Sniff {
 	 * @return array<int|string>
 	 */
 	public function register() {
-		return [
-			T_CONSTANT_ENCAPSED_STRING,
-			T_INLINE_HTML,
-			T_HEREDOC,
-		];
+		return Tokens::$textStringTokens;
 	}
 
 	/**
@@ -43,14 +41,21 @@ public function register() {
 	 * @return void
 	 */
 	public function process_token( $stackPtr ) {
+		// Strip any potentially interpolated expressions.
+		$only_text = $this->tokens[ $stackPtr ]['content'];
+		if ( $this->tokens[ $stackPtr ]['code'] === T_DOUBLE_QUOTED_STRING
+			|| $this->tokens[ $stackPtr ]['code'] === T_HEREDOC
+		) {
+			$only_text = TextStrings::stripEmbeds( $only_text );
+		}
 
-		if ( preg_match( '/autoescape\s+false/', $this->tokens[ $stackPtr ]['content'] ) === 1 ) {
+		if ( preg_match( '/autoescape\s+false/', $only_text ) === 1 ) {
 			// Twig autoescape disabled.
 			$message = 'Found Twig autoescape disabling notation.';
 			$this->phpcsFile->addWarning( $message, $stackPtr, 'AutoescapeFalse' );
 		}
 
-		if ( preg_match( '/\|\s*raw/', $this->tokens[ $stackPtr ]['content'] ) === 1 ) {
+		if ( preg_match( '/\|\s*raw/', $only_text ) === 1 ) {
 			// Twig default unescape filter.
 			$message = 'Found Twig default unescape filter: "|raw".';
 			$this->phpcsFile->addWarning( $message, $stackPtr, 'RawFound' );

WordPressVIPMinimum/Tests/Security/TwigUnitTest.inc

@@ -9,4 +9,52 @@
 {% autoescape %}
     {{ safe_value|raw }}
 {% endautoescape %}
-</script>
+</script>
+
+<?php
+
+echo '<script>
+{% autoescape false %}
+    Everything will be outputted as is in this block
+{% endautoescape %}
+
+{% autoescape %}
+    {{ safe_value|raw }}
+{% endautoescape %}
+</script>';
+
+echo "<script>
+{% autoescape false %}
+    Everything will be $outputted as is in this {${$object->getBlock( SOME_FLAG | raw )}}
+{% endautoescape %}
+
+{% autoescape %}
+    {{ safe_value|raw }}
+{% endautoescape %}
+</script>
+";
+
+echo <<<'EOD'
+<script>
+{% autoescape false %}
+    Everything will be outputted as is in this block
+{% endautoescape %}
+
+{% autoescape %}
+    {{ safe_value|raw }}
+{% endautoescape %}
+</script>
+EOD;
+
+echo <<<EOD
+<script>
+{% autoescape false %}
+    Everything will be $outputted as is in this {$obj->blocks[SOME_FLAG | raw]->name}
+{% endautoescape %}
+EOD;
+echo <<<"EOD"
+{% autoescape %}
+    {{ safe_value|raw }}
+{% endautoescape %}
+</script>
+EOD;

WordPressVIPMinimum/Tests/Security/TwigUnitTest.php

@@ -34,6 +34,14 @@ public function getWarningList() {
 		return [
 			5  => 1,
 			10 => 1,
+			17 => 1,
+			22 => 1,
+			27 => 1,
+			32 => 1,
+			39 => 1,
+			44 => 1,
+			51 => 1,
+			57 => 1,
 		];
 	}
 }