WordPress / WordPress-Coding-Standards

PHP_CodeSniffer rules (sniffs) to enforce WordPress coding conventions
MIT License
2.55k stars 485 forks source link

filter_input() doesn't mean variable is sanitized #512

Open allan23 opened 8 years ago

allan23 commented 8 years ago

filter_input() is listed as an escaping function. However if the third parameter isn't set, then no sanitization takes place.

Example: URL: http://test.dev/?test=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

echo filter_input( INPUT_GET, 'test' );

vs.

echo filter_input( INPUT_GET, 'test', FILTER_SANITIZE_STRING );

Should detection of filter_input require manual inspection or is it possible to check if the third parameter is set?

JDGrimes commented 8 years ago

It would be possible to detect whether the third parameter was supplied, if anyone would like to work up a patch.

JDGrimes commented 8 years ago

A side note: I think that probably the filter_input() function should be flagged by the WordPress.VIP.SuperGlobalInputUsage sniff.

jrfnl commented 5 years ago

I think we need a separate sniff to check for correct usage of the filter_...() functions. This does not have to be combined with an existing sniff.