-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy path.phpcs.security.xml
44 lines (36 loc) · 1.89 KB
/
.phpcs.security.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?xml version="1.0"?>
<ruleset name="Security sniffs from WordPress Coding Standards">
<description>Security sniffs from WordPress Coding Standards</description>
<arg value="sp"/>
<arg name="colors"/>
<arg name="extensions" value="php"/>
<arg name="parallel" value="8"/>
<config name="testVersion" value="7.2-"/>
<!-- Do not fail PHPCS CI over warnings -->
<config name="ignore_warnings_on_exit" value="1"/>
<rule ref="WordPress.Security.EscapeOutput"/>
<rule ref="WordPress.Security.EscapeOutput">
<properties>
<property name="customEscapingFunctions" type="array" value="wc_help_tip,wc_sanitize_tooltip,wc_selected,wc_kses_notice,wc_esc_json,wc_query_string_form_fields,wc_make_phone_clickable" />
</properties>
</rule>
<rule ref="WordPress.Security.ValidatedSanitizedInput.InputNotSanitized"/>
<rule ref="WordPress.Security.ValidatedSanitizedInput">
<properties>
<property name="customSanitizingFunctions" type="array" value="wc_clean,wc_sanitize_tooltip,wc_format_decimal,wc_stock_amount,wc_sanitize_permalink,wc_sanitize_textarea" />
</properties>
</rule>
<!-- Encourage use of wp_safe_redirect() to avoid open redirect vulnerabilities.
https://github.com/WordPress/WordPress-Coding-Standards/pull/1264 -->
<rule ref="WordPress.Security.SafeRedirect"/>
<!-- Verify that a nonce check is done before using values in superglobals.
https://github.com/WordPress/WordPress-Coding-Standards/issues/73 -->
<rule ref="WordPress.Security.NonceVerification"/>
<!-- https://github.com/WordPress/WordPress-Coding-Standards/issues/1157 -->
<rule ref="WordPress.Security.PluginMenuSlug"/>
<!-- Covers rule: The eval() construct is very dangerous, and is impossible to secure. ... these must not be used. -->
<rule ref="Squiz.PHP.Eval.Discouraged">
<type>error</type>
<message>eval() is a security risk so not allowed.</message>
</rule>
</ruleset>