Security/PHPFilterFunctions: remove redundant strtoupper() calls

jrfnl · jrfnl · commit dafc562563bd · 2025-07-18T15:09:00.000+02:00
The `isset( $this->restricted_filters[ $parameters[3]['raw'] ] )` check on the array is case-sensitive, so if the filter constant name was not in upper case already, it wouldn't be matched anyhow. Also note: the case-sensitivity is correct as constants in PHP are case-sensitive (unless explicitly declared as case-insensitive, which these aren't: https://3v4l.org/vq53U#veol). Includes updating one of the pre-existing tests to document this.
diff --git a/WordPressVIPMinimum/Sniffs/Security/PHPFilterFunctionsSniff.php b/WordPressVIPMinimum/Sniffs/Security/PHPFilterFunctionsSniff.php
@@ -69,7 +69,7 @@ public function process_parameters( $stackPtr, $group_name, $matched_content, $p
 
 			if ( isset( $parameters[3], $this->restricted_filters[ $parameters[3]['raw'] ] ) ) {
 				$message = 'Please use an appropriate filter to sanitize, as "%s" does no filtering, see: http://php.net/manual/en/filter.filters.sanitize.php.';
-				$data    = [ strtoupper( $parameters[3]['raw'] ) ];
+				$data    = [ $parameters[3]['raw'] ];
 				$this->phpcsFile->addWarning( $message, $stackPtr, 'RestrictedFilter', $data );
 			}
 		} else {
@@ -81,7 +81,7 @@ public function process_parameters( $stackPtr, $group_name, $matched_content, $p
 
 			if ( isset( $parameters[2], $this->restricted_filters[ $parameters[2]['raw'] ] ) ) {
 				$message = 'Please use an appropriate filter to sanitize, as "%s" does no filtering, see http://php.net/manual/en/filter.filters.sanitize.php.';
-				$data    = [ strtoupper( $parameters[2]['raw'] ) ];
+				$data    = [ $parameters[2]['raw'] ];
 				$this->phpcsFile->addWarning( $message, $stackPtr, 'RestrictedFilter', $data );
 			}
 		}
diff --git a/WordPressVIPMinimum/Tests/Security/PHPFilterFunctionsUnitTest.inc b/WordPressVIPMinimum/Tests/Security/PHPFilterFunctionsUnitTest.inc
@@ -28,7 +28,7 @@ filter_var( $url, FILTER_SANITIZE_URL );
 \filter_var( 'test', FILTER_SANITIZE_STRING );
 FILTER_INPUT( INPUT_GET, 'foo', FILTER_SANITIZE_STRING, );
 filter_input( INPUT_GET,  "foo"   , FILTER_SANITIZE_STRING );
-filter_input_array( $array, FILTER_SANITIZE_STRING );
+filter_input_array( $array, filter_default ); // Constants are case-sensitive, so this is not the FILTER_DEFAULT constant.
 
 // Ignore as undetermined.
 filter_var(  "test", get_filter() );

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ public function process_parameters( $stackPtr, $group_name, $matched_content, $p`
`69`	`69`
`70`	`70`	`if ( isset( $parameters[3], $this->restricted_filters[ $parameters[3]['raw'] ] ) ) {`
`71`	`71`	`$message = 'Please use an appropriate filter to sanitize, as "%s" does no filtering, see: http://php.net/manual/en/filter.filters.sanitize.php.';`
`72`		`- $data = [ strtoupper( $parameters[3]['raw'] ) ];`
	`72`	`+ $data = [ $parameters[3]['raw'] ];`
`73`	`73`	`$this->phpcsFile->addWarning( $message, $stackPtr, 'RestrictedFilter', $data );`
`74`	`74`	`}`
`75`	`75`	`} else {`
`@@ -81,7 +81,7 @@ public function process_parameters( $stackPtr, $group_name, $matched_content, $p`
`81`	`81`
`82`	`82`	`if ( isset( $parameters[2], $this->restricted_filters[ $parameters[2]['raw'] ] ) ) {`
`83`	`83`	`$message = 'Please use an appropriate filter to sanitize, as "%s" does no filtering, see http://php.net/manual/en/filter.filters.sanitize.php.';`
`84`		`- $data = [ strtoupper( $parameters[2]['raw'] ) ];`
	`84`	`+ $data = [ $parameters[2]['raw'] ];`
`85`	`85`	`$this->phpcsFile->addWarning( $message, $stackPtr, 'RestrictedFilter', $data );`
`86`	`86`	`}`
`87`	`87`	`}`