WordPress-Coding-Standards icon indicating copy to clipboard operation
WordPress-Coding-Standards copied to clipboard
verified publisher icon WordPress

Custom sanitizing rules ignored

Open paulschreiber opened this issue 6 years ago • 3 comments

Bug Description

When I run vendor/bin/phpcs class-foo.php, I get this error:

------------------------------------------------------------------------------
FOUND 1 ERROR AFFECTING 1 LINE
------------------------------------------------------------------------------
 11 | ERROR | Detected usage of a non-sanitized input variable: $_POST['foo']
------------------------------------------------------------------------------

I would expect the error to be suppressed because sanitize_promos_array is whitelisted.

Minimal Code Snippet

<?php

class Foo {

	public static function sanitize_promos_array( $input ) {
		// sanitize me
		return $input;
	}

	public static function bar() {
		$taxonomies = isset( $_POST['foo'] ) ? self::sanitize_promos_array( wp_unslash( $_POST['foo'] ) ) : []; // phpcs:ignore WordPress.VIP.SuperGlobalInputUsage.AccessDetected,WordPress.Security.NonceVerification.Missing
	}

}

phpcs.xml:

<?xml version="1.0"?>
<ruleset name="MyRuleSet">
	<rule ref="WordPress-Extra" />
	<rule ref="WordPress.Security.ValidatedSanitizedInput">
		<properties>
			<property name="customSanitizingFunctions" type="array">
				<element value="sanitize_promos_array" />
				<element value="sanitize_announcements_array" />
			</property>
		</properties>
	</rule>
</ruleset>

Environment

Question Answer
PHP version 7.3.3
PHP_CodeSniffer version 3.4.2
WPCS version 2.1.1
WPCS install type Composer project local

Additional Context (optional)

This worked fine with WPCS 1.x. The rule was defined like so:
	<rule ref="WordPress.Security.ValidatedSanitizedInput">
		<properties>
			<property name="customSanitizingFunctions" value="sanitize_promos_array,sanitize_announcements_array" type="array" />
		</properties>
	</rule>

paulschreiber avatar Jul 18 '19 17:07 paulschreiber

You seem to be sanitizing with self::sanitize_promos_array(), rather than the global sanitize_promos_array(). I'm not sure if there is a way to define non-global sanitizing functions (methods). @jrfnl?

GaryJones avatar Jul 19 '19 23:07 GaryJones

Yes, we are using a class method. This worked with WPCS 1.x.

Also with WPCS 1, putting self::sanitize_promos_array() in the ruleset did not work.

paulschreiber avatar Jul 20 '19 00:07 paulschreiber

@paulschreiber I'm not sure if my issue is related to this, I have the following error.

"Detected usage of a non-sanitized input variable" with $_POST['taxonomoy_ordering_data']

This is an array of numbers that are being sanitized using filter_var_array

filter_var_array( wp_unslash( $_POST['taxonomy_ordering_data'] ), FILTER_SANITIZE_NUMBER_INT )

freddiemixell avatar Aug 08 '19 15:08 freddiemixell