Open Luc45 opened 1 year ago
What error are you getting that is bothering you (I saw several when running against the WordPress
standard), so just wanted to be sure, about the sniff you're targeting.
@dingo-d the sniff I'm referring to is WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Read the code example carefully and you will understand, it flags the usage of trim
as if we were using the unsanitized value, but trim doesn't use the values, only manipulate it.
Technically, it should not report any error for all pure functions before sanitizing. For the default PHP ones (trim, strpos, str_contains,...) I guess it can be hardcoded.
Not sure if phpcs is aware/able to parse e.g. @psalm-pure tags in functions/methods to make this even better
Just had a quick look at this, but I don't understand the use of *trim()
here in the first place - it's not needed, so why use it ?
Sometimes, an input is flagged as not sanitized if we trim it:
I believe trimming should be accepted before sanitizing an input.
Maybe we could add
ltrim
,rtrim
, andtrim
as atrimmingFunctions
array and allow them here? https://github.com/WordPress/WordPress-Coding-Standards/blob/2ac765f2b0ae653efef9f5dda74cd2324f3abe78/WordPress/Sniff.php#L1852