Closed jrfnl closed 1 year ago
Interesting suggestion.
I'd say the difference here is that exit()
is pretty much guaranteed to print to the screen, while is there is generally a good chance that an exception would be caught.
But I guess there is still the potential danger, and so escaping would be a good precaution (like we do with functions used to trigger errors).
One issue would be that an exception object could be constructed prior to actually being thrown. So you'd end up with code like this:
throw $exception;
But we could call that an edge-case and flag it as a warning or something.
I'd say the difference here is that exit() is pretty much guaranteed to print to the screen, while is there is generally a good chance that an exception would be caught.
What with nearly every PHP native error having been turned into an exception in PHP 7, I'd say very few are actually caught ....
But I suppose you're talking about userland Exceptions :sunglasses:
Note that trigger_error()
is also considered a printing function in WPCS, and it behaves like throwing exceptions.
UPDATE: As @JDGrimes says above:
But I guess there is still the potential danger, and so escaping would be a good precaution (like we do with functions used to trigger errors).
😄
My question is of course related to #764 / making the sniffs compatible with modern PHP code.
Aside: throw
is supported back to PHP 5.0.0: https://3v4l.org/uAHk0
@westonruter :100: I realized that as soon as I hit "Comment" (of course) ;-)
My email has proof of this 😄
:blush: Note to self: ALWAYS look EVERYTHING up. Now I need :wine_glass:
GH should send those emails out with a five minute delay or something - I always catch a spelling mistake or something else after I post (even after proof reading)
Just like
die()
orexit()
,throw
will send to the screen unless the Exception is caught.Should we start checking throw statements for output escaping ?
Ref: http://php.net/manual/en/language.exceptions.php