Closed kkmuffme closed 3 years ago
Thanks for reporting this.
Two notes:
Could you provide a more complete code sample for the second test case ? Looking at just what you provided, that one feels off no matter what. URL parts should not be escaped, but encoded.
1) we get this issue for all kinds of data- attributes, e.g. data-action or also data-src 2) the $var is already rawurlencoded at this point. Anyway rawurlencode is not a safe escaping function, is it? So I do need some escaping here.
3) maybe the href/src/action should be extended to srcset too?
- we get this issue for all kinds of data- attributes, e.g. data-action or also data-src
action
I can imagine other uses than URLs, but for src
or url
suffixed attribute names, the chance of the value not being a value which should be escaped with esc_url()
are a lot smaller.
For the record, action
was added to the list of attribute names to listen to in VIPCS 2.2.0. src
was in the list since the introduction of the sniff way back when.
- the $var is already rawurlencoded at this point. Anyway rawurlencode is not a safe escaping function, is it? So I do need some escaping here.
esc_url()
.
- maybe the href/src/action should be extended to srcset too?
srcset
as the value is expected to be a comma delimited list of URLs combined with sizes. I expect that if the value for srcset
would be encoded using esc_url()
, the output will be mangled and not work as expected.
<img
srcset="
/wp-content/uploads/flamingo4x.jpg 4025w,
/wp-content/uploads/flamingo3x.jpg 3019w,
/wp-content/uploads/flamingo2x.jpg 2013w,
/wp-content/uploads/flamingo1x.jpg 1006w
"
src="/wp-content/uploads/flamingo-fallback.jpg"
>
Either way, PR #670 should fix the issue you originally reported about the action
match precision. Testing appreciated.
@jrfnl sorry to add one to this, but there is one more:
for ( $i = 1; $i <= 10; $i++ ) { ?>
<option value="<?php echo esc_attr( $i ); ?>" <?php echo ( $filter_importance != '' && $filter_importance == $i ) ? 'selected' : ''; ?> >
>=<?php echo esc_html( $i ); ?>
</option>
<?php } ?>
Also reports the above error, even though that clearly isn't an HTML attribute. Has this been fixed with the new PR?
@kkmuffme It does appear to not be fixed in 2.3.1, can you please open a new issue since this is separate? Thank you for reporting!
Bug Description
The above sniff is extremely prone to false positives, as it just checks for action/src/href, but should be at least be more specific for action.
Minimal Code Snippet
Error Code
Wrong escaping function. href, src, and action attributes should be escaped by
esc_url()
, not byesc_attr()
. WordPressVIPMinimum.Security.ProperEscapingFunction.hrefSrcEscUrlEnvironment
Use
php -v
andcomposer show
to get versions.Tested Against
master
branch?master
branch of VIPCS.develop
branch of VIPCS.