False positive: Allow trimming input before sanitizing

[Luc45]

Sometimes, an input is flagged as not sanitized if we trim it:

$foo = absint( $_GET['foo'] ); // OK.

$foo = absint( trim( $_GET['foo'] ) ); // InputNotSanitized.
$foo = absint( ltrim( $_GET['foo'] ) ); // InputNotSanitized.
$foo = absint( rtrim( $_GET['foo'] ) ); // InputNotSanitized.

I believe trimming should be accepted before sanitizing an input.

Maybe we could add ltrim, rtrim, and trim as a trimmingFunctions array and allow them here?

WordPress-Coding-Standards/WordPress/Sniff.php

Line 1852 in 2ac765f

$valid_functions += $this->arrayWalkingFunctions;

[dingo-d]

What error are you getting that is bothering you (I saw several when running against the WordPress standard), so just wanted to be sure, about the sniff you're targeting.

[Luc45]

@dingo-d the sniff I'm referring to is WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

[Luc45]

Read the code example carefully and you will understand, it flags the usage of trim as if we were using the unsanitized value, but trim doesn't use the values, only manipulate it.

[kkmuffme]

Technically, it should not report any error for all pure functions before sanitizing.
For the default PHP ones (trim, strpos, str_contains,...) I guess it can be hardcoded.

Not sure if phpcs is aware/able to parse e.g. @psalm-pure tags in functions/methods to make this even better

[jrfnl]

Just had a quick look at this, but I don't understand the use of *trim() here in the first place - it's not needed, so why use it ?

https://3v4l.org/9Ih5I