Merge pull request #583 from WordPress/582-check-input-data-must-be-s…

…anitized-validated-and-escaped-on-output
WordPress · Aug 27, 2024 · 2c9a9a8 · 2c9a9a8
2 parents 02a1d78 + e64d3f6
commit 2c9a9a8
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 1 deletion.
diff --git a/phpcs-rulesets/plugin-review.xml b/phpcs-rulesets/plugin-review.xml
@@ -46,6 +46,12 @@
 		<type>warning</type>
 	</rule>
 
+	<!-- Sanitized Input rules -->
+	<rule ref="WordPress.Security.ValidatedSanitizedInput">
+		<type>error</type>
+		<severity>7</severity>
+	</rule>
+
 	<!-- Prohibit the use of the backtick operator. -->
 	<rule ref="Generic.PHP.BacktickOperator"/>
 

diff --git a/tests/phpunit/testdata/plugins/test-plugin-review-phpcs-errors/load.php b/tests/phpunit/testdata/plugins/test-plugin-review-phpcs-errors/load.php
@@ -11,3 +11,5 @@
 ob_start();
     the_author_email();
 $the_author_email = ob_get_clean();
+
+$var_post_not_sanitized = $_POST['not_sanitized'];
diff --git a/tests/phpunit/testdata/plugins/test-plugin-review-phpcs-without-errors/load.php b/tests/phpunit/testdata/plugins/test-plugin-review-phpcs-without-errors/load.php
@@ -8,3 +8,5 @@
 ob_start();
     the_author_meta( 'email');
 $the_author_email = ob_get_clean();
+
+$var_sanitized = isset( $data['sanitized'] ) ? sanitize_text_field( wp_unslash( $data['sanitized'] ) ) : '';
diff --git a/tests/phpunit/tests/Checker/Checks/Plugin_Review_PHPCS_Check_Tests.php b/tests/phpunit/tests/Checker/Checks/Plugin_Review_PHPCS_Check_Tests.php
@@ -22,7 +22,7 @@ public function test_run_with_errors() {
 
 		$this->assertNotEmpty( $errors );
 		$this->assertArrayHasKey( 'load.php', $errors );
-		$this->assertEquals( 2, $check_result->get_error_count() );
+		$this->assertEquals( 5, $check_result->get_error_count() );
 
 		// Check for Generic.PHP.DisallowShortOpenTag.Found error on Line no 6 and column no at 1.
 		$this->assertArrayHasKey( 6, $errors['load.php'] );
@@ -35,6 +35,12 @@ public function test_run_with_errors() {
 		$this->assertArrayHasKey( 5, $errors['load.php'][12] );
 		$this->assertArrayHasKey( 'code', $errors['load.php'][12][5][0] );
 		$this->assertEquals( 'WordPress.WP.DeprecatedFunctions.the_author_emailFound', $errors['load.php'][12][5][0]['code'] );
+
+		// Check for WordPress.Security.ValidatedSanitizedInput.InputNotValidated error on Line no 15 and column no at 27.
+		$this->assertArrayHasKey( 15, $errors['load.php'] );
+		$this->assertArrayHasKey( 27, $errors['load.php'][15] );
+		$this->assertArrayHasKey( 'code', $errors['load.php'][15][27][0] );
+		$this->assertEquals( 'WordPress.Security.ValidatedSanitizedInput.InputNotValidated', $errors['load.php'][15][27][0]['code'] );
 	}
 
 	public function test_run_without_errors() {