diff --git a/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php b/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php index ae1d6725..5a966352 100644 --- a/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php +++ b/WordPressVIPMinimum/Sniffs/Security/ProperEscapingFunctionSniff.php @@ -23,7 +23,7 @@ class ProperEscapingFunctionSniff extends Sniff { * * @var string */ - const ATTR_END_REGEX = '`(?href|src|url|\s+action)?=(?:(?:\\\\)?["\'])?$`i'; + const ATTR_END_REGEX = '`(?href|src|url|(^|\s+)action)?=(?:\\\\)?["\']*$`i'; /** * List of escaping functions which are being tested. diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc index e477c716..35f20d1e 100644 --- a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc +++ b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.inc @@ -85,3 +85,13 @@ echo 'data-param-url="' . Esc_HTML::static_method( $share_url ) . '"'; // OK. // Not a target for this sniff (yet). printf( '', esc_attr( $content ) ); // OK. +?> + +// Making sure tabs and new lines before "action" are handled correctly. + +'; // OK. +echo ''; // Error. diff --git a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php index 8db41f41..2a0e020b 100644 --- a/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php +++ b/WordPressVIPMinimum/Tests/Security/ProperEscapingFunctionUnitTest.php @@ -53,6 +53,8 @@ public function getErrorList() { 79 => 1, 80 => 1, 82 => 1, + 92 => 1, + 97 => 1, ]; }