-
Notifications
You must be signed in to change notification settings - Fork 41
/
Copy pathHTMLExecutingFunctionsSniff.php
131 lines (111 loc) · 4.54 KB
/
HTMLExecutingFunctionsSniff.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
<?php
/**
* WordPressVIPMinimum_Sniffs_Files_IncludingFileSniff.
*
* @package VIPCS\WordPressVIPMinimum
*/
namespace WordPressVIPMinimum\Sniffs\JS;
use PHP_CodeSniffer\Util\Tokens;
use WordPressVIPMinimum\Sniffs\Sniff;
/**
* WordPressVIPMinimum_Sniffs_JS_HTMLExecutingFunctions.
*
* Flags functions which are executing HTML passed to it.
*/
class HTMLExecutingFunctionsSniff extends Sniff {
/**
* List of HTML executing functions.
*
* Name of function => content or target.
* Value indicates whether the function's arg is the content to be inserted, or the target where the inserted
* content is to be inserted before/after/replaced. For the latter, the content is in the preceding method's arg.
*
* @var array<string, string>
*/
public $HTMLExecutingFunctions = [
'after' => 'content', // jQuery.
'append' => 'content', // jQuery.
'appendTo' => 'target', // jQuery.
'before' => 'content', // jQuery.
'html' => 'content', // jQuery.
'insertAfter' => 'target', // jQuery.
'insertBefore' => 'target', // jQuery.
'prepend' => 'content', // jQuery.
'prependTo' => 'target', // jQuery.
'replaceAll' => 'target', // jQuery.
'replaceWith' => 'content', // jQuery.
'write' => 'content',
'writeln' => 'content',
];
/**
* A list of tokenizers this sniff supports.
*
* @var string[]
*/
public $supportedTokenizers = [ 'JS' ];
/**
* Returns an array of tokens this test wants to listen for.
*
* @return array<int|string>
*/
public function register() {
return [
T_STRING,
];
}
/**
* Processes this test, when one of its tokens is encountered.
*
* @param int $stackPtr The position of the current token in the stack passed in $tokens.
*
* @return void
*/
public function process_token( $stackPtr ) {
if ( ! isset( $this->HTMLExecutingFunctions[ $this->tokens[ $stackPtr ]['content'] ] ) ) {
// Looking for specific functions only.
return;
}
if ( $this->HTMLExecutingFunctions[ $this->tokens[ $stackPtr ]['content'] ] === 'content' ) {
$nextToken = $this->phpcsFile->findNext( Tokens::$emptyTokens, $stackPtr + 1, null, true, null, true );
if ( $this->tokens[ $nextToken ]['code'] !== T_OPEN_PARENTHESIS ) {
// Not a function.
return;
}
$parenthesis_closer = $this->tokens[ $nextToken ]['parenthesis_closer'];
while ( $nextToken < $parenthesis_closer ) {
$nextToken = $this->phpcsFile->findNext( Tokens::$emptyTokens, $nextToken + 1, null, true, null, true );
if ( $this->tokens[ $nextToken ]['code'] === T_STRING ) { // Contains a variable, function call or something else dynamic.
$message = 'Any HTML passed to `%s` gets executed. Make sure it\'s properly escaped.';
$data = [ $this->tokens[ $stackPtr ]['content'] ];
$this->phpcsFile->addWarning( $message, $stackPtr, $this->tokens[ $stackPtr ]['content'], $data );
return;
}
}
} elseif ( $this->HTMLExecutingFunctions[ $this->tokens[ $stackPtr ]['content'] ] === 'target' ) {
$prevToken = $this->phpcsFile->findPrevious( Tokens::$emptyTokens, $stackPtr - 1, null, true, null, true );
if ( $this->tokens[ $prevToken ]['code'] !== T_OBJECT_OPERATOR ) {
return;
}
$prevPrevToken = $this->phpcsFile->findPrevious( Tokens::$emptyTokens, $prevToken - 1, null, true, null, true );
if ( $this->tokens[ $prevPrevToken ]['code'] !== T_CLOSE_PARENTHESIS ) {
// Not a function call, but may be a variable containing an element reference, so just
// flag all remaining instances of these target HTML executing functions.
$message = 'Any HTML used with `%s` gets executed. Make sure it\'s properly escaped.';
$data = [ $this->tokens[ $stackPtr ]['content'] ];
$this->phpcsFile->addWarning( $message, $stackPtr, $this->tokens[ $stackPtr ]['content'], $data );
return;
}
// Check if it's a function call (typically $() ) that contains a dynamic part.
$parenthesis_opener = $this->tokens[ $prevPrevToken ]['parenthesis_opener'];
while ( $prevPrevToken > $parenthesis_opener ) {
$prevPrevToken = $this->phpcsFile->findPrevious( Tokens::$emptyTokens, $prevPrevToken - 1, null, true, null, true );
if ( $this->tokens[ $prevPrevToken ]['code'] === T_STRING ) { // Contains a variable, function call or something else dynamic.
$message = 'Any HTML used with `%s` gets executed. Make sure it\'s properly escaped.';
$data = [ $this->tokens[ $stackPtr ]['content'] ];
$this->phpcsFile->addWarning( $message, $stackPtr, $this->tokens[ $stackPtr ]['content'], $data );
return;
}
}
}
}
}