EscapingFunctionsTrait: make sure function names are checked case-ins…

…ensitively These functions should be self-contained, so should not presume that the sniff has already lowercased the function name before passing it. This fixes a bug as, in this case, the sniff didn't actually lowercase the name before passing it to the trait methods, so the sniff would throw false positives for non-lowercase function calls. Tested by adjusting some pre-existing tests for the `EscapeOutput` sniff.
WordPress · Jun 29, 2023 · baf9512 · baf9512
1 parent 31fa764
commit baf9512
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/WordPress/Helpers/EscapingFunctionsTrait.php b/WordPress/Helpers/EscapingFunctionsTrait.php
@@ -223,7 +223,7 @@ public function is_escaping_function( $functionName ) {
 			$this->addedCustomEscapingFunctions['escape'] = $this->customEscapingFunctions;
 		}
 
-		return isset( $this->allEscapingFunctions[ $functionName ] );
+		return isset( $this->allEscapingFunctions[ strtolower( $functionName ) ] );
 	}
 
 	/**
@@ -247,6 +247,6 @@ public function is_auto_escaped_function( $functionName ) {
 			$this->addedCustomEscapingFunctions['autoescape'] = $this->customAutoEscapedFunctions;
 		}
 
-		return isset( $this->allAutoEscapedFunctions[ $functionName ] );
+		return isset( $this->allAutoEscapedFunctions[ strtolower( $functionName ) ] );
 	}
 }
diff --git a/WordPress/Tests/Security/EscapeOutputUnitTest.inc b/WordPress/Tests/Security/EscapeOutputUnitTest.inc
@@ -15,7 +15,7 @@ while ( have_posts() ) {
 ?>
 
 <h2><?php echo $title; // Bad. ?></h2>
-<h2><?php echo esc_html( $title ); // OK. ?></h2>
+<h2><?php echo esc_HTML( $title ); // OK. ?></h2>
 <h2><?php echo apply_filters( 'the_title', $title ); // Bad, no escaping function. ?></h2>
 
 <?php
@@ -138,7 +138,7 @@ _doing_it_wrong( __METHOD__, "Invalid value for the 'bob' argument " . esc_html(
 trigger_error( "There was an error: {$message}", E_USER_NOTICE ); // Bad.
 trigger_error( "There was an error: " . esc_html( $message ), E_USER_NOTICE ); // Ok.
 
-echo '<p>' . sprintf( esc_html__( 'Some text -> %sLink text%s', 'textdomain' ), '<a href="' . esc_url( add_query_arg( array( 'page' => 'my_page' ), admin_url( 'admin.php' ) ) ) . '">', '</a>' ). '</p>'; // Ok.
+echo '<p>' . sprintf( esc_html__( 'Some text -> %sLink text%s', 'textdomain' ), '<a href="' . Esc_Url( add_query_arg( array( 'page' => 'my_page' ), admin_url( 'admin.php' ) ) ) . '">', '</a>' ). '</p>'; // Ok.
 
 echo '<br/><strong>' . sprintf( esc_html__( 'Found %d results', 'textdomain' ), (int) $result_count ) . '</strong><br/><br/>'; // Ok.