Skip to content

Security/EscapeOutput: fix false positive and add tests for namespaced names#2618

Merged
dingo-d merged 4 commits into
WordPress:developfrom
rodrigoprimo:escape-output-namespaced-names-tests
Dec 17, 2025
Merged

Security/EscapeOutput: fix false positive and add tests for namespaced names#2618
dingo-d merged 4 commits into
WordPress:developfrom
rodrigoprimo:escape-output-namespaced-names-tests

Conversation

@rodrigoprimo

@rodrigoprimo rodrigoprimo commented Sep 18, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Description

In preparation for PHPCS 4.0, which changes the tokenization of namespaced names, this PR adds tests with all variants of namespace names (unqualified, partially qualified, fully qualified, and namespace relative) to the WordPress.Security.EscapeOutput sniff. This is a continuation of #2581, where tests were added for all sniffs extending AbstractFunctionRestrictions except EscapeOutput.

This PR also includes tests to ensure the basename( __FILE__ ) pattern recognition in _deprecated_file() only applies to global basename() function calls, not to other constructs that might look similar (such as namespaced variants or class methods).

Besides that, it fixes in a separate commit a false positive bug that was discovered during the PR review, where the sniff would incorrectly handle FQN and/or non-standard case true passed to get_search_query().

Suggested changelog entry

Fixed:

  • WordPress.Security.EscapeOutput: false positive for get_search_query() when the $escaped parameter was passed as fully qualified true or as true using a non-standard case.

@rodrigoprimo

rodrigoprimo commented Sep 18, 2025
edited
Loading

Copy link
Copy Markdown
Contributor Author

I'm investigating the test that is failing in the PHPCS lowest build.

Fixed and force-pushed. The problem was related to a change in how PHPCS tokenizes FQN exit/die. I added more details in a code comment.

@rodrigoprimo rodrigoprimo force-pushed the escape-output-namespaced-names-tests branch from bcab6ad to 490c471 Compare September 18, 2025 15:59
@rodrigoprimo rodrigoprimo marked this pull request as draft November 11, 2025 16:50
@rodrigoprimo

rodrigoprimo commented Nov 11, 2025

Copy link
Copy Markdown
Contributor Author

Moved to draft pending the review of #2620

@rodrigoprimo rodrigoprimo force-pushed the escape-output-namespaced-names-tests branch from 490c471 to 0d6763d Compare November 14, 2025 14:32
@rodrigoprimo
Security/EscapeOutput: add edge case tests for basename( __FILE__ ) p…
322829b 
…attern

Add tests to ensure the `basename( __FILE__ )` pattern recognition in `_deprecated_file()` only applies to global `basename()` function calls, not to other constructs that might look similar.
@rodrigoprimo rodrigoprimo force-pushed the escape-output-namespaced-names-tests branch from 0d6763d to 322829b Compare November 14, 2025 14:43
@rodrigoprimo rodrigoprimo marked this pull request as ready for review November 24, 2025 16:04
@rodrigoprimo

rodrigoprimo commented Nov 24, 2025

Copy link
Copy Markdown
Contributor Author

@jrfnl, I'm moving this PR back to ready for review.

@rodrigoprimo rodrigoprimo mentioned this pull request Nov 29, 2025
Merged
jrfnl
jrfnl reviewed Dec 9, 2025
View reviewed changes

@jrfnl jrfnl left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rodrigoprimo Very good effort, needs a little more work, but these tests will help a lot!

Comment thread WordPress/Tests/Security/EscapeOutputUnitTest.1.inc Outdated
Comment thread WordPress/Tests/Security/EscapeOutputUnitTest.1.inc
Comment on lines +736 to +741
echo \get_search_query( true ); // Ok.
echo \get_search_query( false ); // Bad.
echo MyNamespace\get_search_query( true ); // Bad.
echo \MyNamespace\get_search_query( true ); // Bad.
echo namespace\get_search_query( true ); // Bad. The sniff should stop flagging this once it can resolve relative namespaces.
echo namespace\Sub\get_search_query( true ); // Bad.

@jrfnl jrfnl Dec 9, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should there be tests here with FQN true/false and case-variations ? I.e. \TRUE and \False ?

@rodrigoprimo rodrigoprimo Dec 10, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This uncovered a bug in how the sniff was handling FQN and non-standard case true. I added the tests and the fix in a separate commit from the rest of the changes. I also updated the PR description and title to mention this fix and added a changelog entry.

Comment thread WordPress/Tests/Security/EscapeOutputUnitTest.php Outdated
Comment thread WordPress/Tests/Security/EscapeOutputUnitTest.1.inc
Comment thread WordPress/Tests/Security/EscapeOutputUnitTest.1.inc Outdated
Comment thread WordPress/Tests/Security/EscapeOutputUnitTest.1.inc
@rodrigoprimo rodrigoprimo force-pushed the escape-output-namespaced-names-tests branch from 7190fe2 to d56798e Compare December 9, 2025 17:45
rodrigoprimo and others added 2 commits December 10, 2025 10:57
@rodrigoprimo @jrfnl
Apply changes from code review
6b7601d 
Co-authored-by: Juliette <663378+jrfnl@users.noreply.github.com>
@rodrigoprimo
Security/EscapeOutput: fix false positive for get_search_query() with…
0638f0b 
… FQN/mixed-case true

The sniff was incorrectly flagging `get_search_query()` calls as unsafe when the `$escaped` parameter was passed as fully qualified true or as true using a non-standard case.

The comparison `'true' !== $escaped_param['clean']` failed because the parameter value wasn't normalized. This commit fixes this by stripping any leading backslash and converting to lowercase before comparison.
@rodrigoprimo rodrigoprimo force-pushed the escape-output-namespaced-names-tests branch from fb7cbdd to 0638f0b Compare December 10, 2025 14:07
@rodrigoprimo rodrigoprimo changed the title Security/EscapeOutput: add tests for namespaced names Security/EscapeOutput: fix false positive and add tests for namespaced names Dec 10, 2025
@rodrigoprimo

rodrigoprimo commented Dec 10, 2025

Copy link
Copy Markdown
Contributor Author

Thanks for your review, @jrfnl!

I responded to all of your comments and implemented your suggestions. There is just one item pending for us to discuss regarding the fully qualified tests for functions like \the_permalink(). Please take a look at my remark above (#2618 (comment)).

jrfnl
jrfnl approved these changes Dec 16, 2025
View reviewed changes

@jrfnl jrfnl left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for all your work on this @rodrigoprimo !!!!

@jrfnl jrfnl added this to the 3.3.x milestone Dec 16, 2025
@dingo-d dingo-d merged commit f48a181 into WordPress:develop Dec 17, 2025
31 checks passed
@rodrigoprimo rodrigoprimo deleted the escape-output-namespaced-names-tests branch December 17, 2025 19:07
@jrfnl jrfnl modified the milestones: 3.3.x, 3.4.0 Feb 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jrfnl jrfnl jrfnl approved these changes

@dingo-d dingo-d dingo-d approved these changes

Assignees

No one assigned

Labels

Component: Extra Type: Bug Type: Chores/Cleanup

Projects

None yet

Milestone

3.4.0

Development

Successfully merging this pull request may close these issues.

3 participants

@rodrigoprimo @jrfnl @dingo-d