Open allan23 opened 8 years ago
It would be possible to detect whether the third parameter was supplied, if anyone would like to work up a patch.
A side note: I think that probably the filter_input()
function should be flagged by the WordPress.VIP.SuperGlobalInputUsage
sniff.
I think we need a separate sniff to check for correct usage of the filter_...()
functions. This does not have to be combined with an existing sniff.
filter_input() is listed as an escaping function. However if the third parameter isn't set, then no sanitization takes place.
Example: URL: http://test.dev/?test=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
echo filter_input( INPUT_GET, 'test' );
vs.
echo filter_input( INPUT_GET, 'test', FILTER_SANITIZE_STRING );
Should detection of filter_input require manual inspection or is it possible to check if the third parameter is set?