Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add phpcs.xml for safe output functions #225

Closed
GaryJones opened this issue Aug 8, 2016 · 4 comments
Closed

Add phpcs.xml for safe output functions #225

GaryJones opened this issue Aug 8, 2016 · 4 comments
Labels
awaiting testing enhancement output:html

Comments

@GaryJones
Copy link
Contributor

There are a at least a couple of functions (build_sorter(), build_filter()) that are deemed safe for output, which are marked with a // WPCS: XSS ok; at the end of the line.

A cleaner approach, would be to add in a phpcs.xml file that defines exactly which code standards are being followed, but also allow the defining of safe functions. Here's an example phpcs.xml that I have for a client theme, that shows the Genesis Framework function genesis_attr() does not need escaping:

<?xml version="1.0"?>
<ruleset name="My Client's Theme">
    <description>The code standard for My Client's theme.</description>
    <file>theme/.</file>
    <arg name="extensions" value="php"/>
    <arg name="report-full" value="logs/phpcs-full.log"/>
    <arg name="report-summary" value="logs/phpcs-summary.log"/>
    <arg name="report-source" value="logs/phpcs-source.log"/>
    <arg name="report-info" value="logs/phpcs-info.log"/>
    <arg name="report" value="summary"/>
    <arg name="report" value="source"/>
    <arg value="sp"/>
    <rule ref="WordPress.XSS.EscapeOutput">
        <properties>
            <property type="array" name="customAutoEscapedFunctions" value="genesis_attr"/>
        </properties>
    </rule>
    <rule ref="WordPress">
        <exclude name="WordPress.VIP"/>
    </rule>
</ruleset>

Adapt that to QM, and all of the relevant inline WPCS XSS comments can be removed.
@johnbillion
Copy link
Owner

johnbillion commented Nov 7, 2017
edited
Loading

This is blocked by WordPress/WordPress-Coding-Standards#413

@johnbillion
Copy link
Owner

Closing this off as there's been no movement on the PHPCS issue that blocks this and I'm happy enough with the inline comments in the meantime.

@johnbillion johnbillion closed this as not planned Won't fix, can't repro, duplicate, stale Jul 9, 2022
@GaryJones
Copy link
Contributor Author

The old WPCS-style whitelist comments were deprecated for WPCS 2.0, and a Warning was introduced if they were found (instead of using the PHPCS native ignore comments instead), so I'm curious why these don't seem to be flagged in your CI run.

@johnbillion
Copy link
Owner

johnbillion commented Jul 9, 2022
edited
Loading

I've got the -n flag in here:

query-monitor/composer.json

Lines 53 to 54 in c86893e

"phpcs -nps --colors --report-code --report-width=80 --cache=tests/cache/phpcs --basepath='./' --standard=phpcs53.xml",
"phpcs -nps --colors --report-code --report-width=80 --cache=tests/cache/phpcs --basepath='./' ."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting testing enhancement output:html
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GaryJones @johnbillion