Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ProperEscapingFunction: improve "action" match precision #670

Merged

Conversation

jrfnl
Copy link
Collaborator

@jrfnl jrfnl commented Apr 20, 2021

In VIPCS 2.2.0, checking for the use of esc_url() for "action" HTML attributes was introduced in PR #575 in response to issue #554.

As it is not inconceivable that "action" is used as a suffix for custom HTML attributes - like "data-action"- for which the value does not necessarily has to be a URL, the check for the "action" HTML attribute should make sure it is the complete attribute name and not used as a suffix for a custom attribute name.

This change contains a minor refactor of the code which examines the content of the previous text string.

Instead of looping over the various lists and doing a substr() on the same content 25 times, it will now use a regular expression to gather the necessary information to throw the right errors in one go.

Includes unit tests.

Fixes #669

Note: This PR removes two private properties which were introduced in 624/VIPCS 2.3.0 and two public methods.

The removal of the properties is safe. The removal of the public methods could be considered a BC-break as these methods were public, though they never should have been.

If so preferred, the public methods could be deprecated instead and remain in the code base as dead code/emptied out methods until the next major release upon which they could be removed.


New commits since pulling

ProperEscapingFunction: fine-tune attribute regex

This adds test cases with:

  • No space before "action" as it is at the start of the line in a multi-line text string.
  • A tab before "action".

... and makes minor adjustments to the regex to safeguard handling these cases correctly.

ProperEscapingFunction: deprecate, don't remove

... the public methods and as those use the private properties and extending sniffs may rely on the functionality of the public methods, we can't removed the private properties yet either, so deprecating those too.

jrfnl added 2 commits April 22, 2021 06:56
In VIPCS 2.2.0, checking for the use of `esc_url()` for "action" HTML attributes was introduced in PR 575 in response to issue 554.

As it is not inconceivable that "action" is used as a suffix for custom HTML attributes - like "data-action"- for which the value does not necessarily has to be a URL, the check for the "action" HTML attribute should make sure it is the complete attribute name and not used as a suffix for a custom attribute name.

This change contains a minor refactor of the code which examines the content of the previous text string.

Instead of looping over the various lists and doing a `substr()` on the same content 25 times, it will now use a regular expression to gather the necessary information to throw the right errors in one go.

Includes unit tests.

Fixes 669

Note: This PR removes two `private` properties which were introduced in 624/VIPCS 2.3.0 and two `public` methods.

The removal of the properties is safe. The removal of the `public` methods could be considered a BC-break as these methods were `public`, though they never should have been.

If so preferred, the `public` methods could be deprecated instead and remain in the code base as dead code/emptied out methods until the next major release upon which they could be removed.
This adds test cases with:
* No space before "action" as it is at the start of the line in a multi-line text string.
* A tab before "action".

... and makes minor adjustments to the regex to safeguard handling these cases correctly.
@jrfnl jrfnl force-pushed the fix/669-properescaping-attribute-matching-precision branch from 2f537c0 to 1401543 Compare April 22, 2021 05:05
rebeccahum
rebeccahum previously approved these changes Apr 22, 2021
Copy link
Contributor

@rebeccahum rebeccahum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very clever! I love how you were able to eliminate the looping over and kill many birds with one stone.

... the `public` methods and as those use the `private` properties and extending sniffs may rely on the functionality of the `public` methods, we can't removed the `private` properties yet either, so deprecating those too.
@jrfnl jrfnl added this to the 2.3.1 milestone Apr 22, 2021
@rebeccahum rebeccahum merged commit 23ec390 into develop Apr 22, 2021
@rebeccahum rebeccahum deleted the fix/669-properescaping-attribute-matching-precision branch April 22, 2021 05:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

False positive for ProperEscapingFunction.hrefSrcEscUrl when attribute with action in name is used
2 participants