search

WordPress / plugin-check

A repository for the new Plugin Check plugin from the WordPress Performance and Plugins Team.
https://wordpress.org/plugins/plugin-check/
GNU General Public License v2.0
261 stars 53 forks source link

Update ruleset to segregate Security rules #643

Closed ernilambar closed 1 month ago

ernilambar commented 1 month ago

We should segregate WordPress.Security.ValidatedSanitizedInput and assign separate type and severity for each rules.

<rule ref="WordPress.Security.ValidatedSanitizedInput">
  <type>error</type>
  <severity>7</severity>
</rule>
ernilambar commented 1 month ago

ValidatedSanitizedInput has four sub rules:

It looks all WARNING to me. Looking for confirmation.

CC @frantorres

davidperezgar commented 1 month ago

I'd make InputNotSanitized for severity 7 and the others as 6. What do you think?

ernilambar commented 1 month ago

And what would be type for each item?

frantorres commented 1 month ago

ValidatedSanitizedInput has four sub rules:

  • InputNotValidatedNotSanitized
  • InputNotValidated
  • InputNotSanitized
  • MissingUnslash

It looks all WARNING to me. Looking for confirmation.

Looks like a Warning for me too as all of these can have situations in which false positives may arise.