Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ProperEscapingFunction: improve "action" match precision #670

Merged
merged 3 commits into from
Apr 22, 2021
Merged

ProperEscapingFunction: improve "action" match precision #670

merged 3 commits into from
Apr 22, 2021

Conversation

jrfnl
Copy link
Collaborator

@jrfnl jrfnl commented Apr 20, 2021
edited
Loading

In VIPCS 2.2.0, checking for the use of esc_url() for "action" HTML attributes was introduced in PR #575 in response to issue #554.

As it is not inconceivable that "action" is used as a suffix for custom HTML attributes - like "data-action"- for which the value does not necessarily has to be a URL, the check for the "action" HTML attribute should make sure it is the complete attribute name and not used as a suffix for a custom attribute name.

This change contains a minor refactor of the code which examines the content of the previous text string.

Instead of looping over the various lists and doing a substr() on the same content 25 times, it will now use a regular expression to gather the necessary information to throw the right errors in one go.

Includes unit tests.

Fixes #669

Note: This PR removes two private properties which were introduced in 624/VIPCS 2.3.0 and two public methods.

The removal of the properties is safe. The removal of the public methods could be considered a BC-break as these methods were public, though they never should have been.

If so preferred, the public methods could be deprecated instead and remain in the code base as dead code/emptied out methods until the next major release upon which they could be removed.

New commits since pulling

ProperEscapingFunction: fine-tune attribute regex

This adds test cases with:

  • No space before "action" as it is at the start of the line in a multi-line text string.
  • A tab before "action".

... and makes minor adjustments to the regex to safeguard handling these cases correctly.

ProperEscapingFunction: deprecate, don't remove

... the public methods and as those use the private properties and extending sniffs may rely on the functionality of the public methods, we can't removed the private properties yet either, so deprecating those too.

@jrfnl jrfnl requested a review from a team as a code owner April 20, 2021 16:41
@jrfnl jrfnl mentioned this pull request Apr 20, 2021
Closed
2 tasks
@jrfnl
ProperEscapingFunction: improve "action" match precision
7f77f90 
In VIPCS 2.2.0, checking for the use of `esc_url()` for "action" HTML attributes was introduced in PR 575 in response to issue 554.

As it is not inconceivable that "action" is used as a suffix for custom HTML attributes - like "data-action"- for which the value does not necessarily has to be a URL, the check for the "action" HTML attribute should make sure it is the complete attribute name and not used as a suffix for a custom attribute name.

This change contains a minor refactor of the code which examines the content of the previous text string.

Instead of looping over the various lists and doing a `substr()` on the same content 25 times, it will now use a regular expression to gather the necessary information to throw the right errors in one go.

Includes unit tests.

Fixes 669

Note: This PR removes two `private` properties which were introduced in 624/VIPCS 2.3.0 and two `public` methods.

The removal of the properties is safe. The removal of the `public` methods could be considered a BC-break as these methods were `public`, though they never should have been.

If so preferred, the `public` methods could be deprecated instead and remain in the code base as dead code/emptied out methods until the next major release upon which they could be removed.
@jrfnl
ProperEscapingFunction: fine-tune attribute regex
1401543 
This adds test cases with:
* No space before "action" as it is at the start of the line in a multi-line text string.
* A tab before "action".

... and makes minor adjustments to the regex to safeguard handling these cases correctly.
@jrfnl jrfnl force-pushed the fix/669-properescaping-attribute-matching-precision branch from 2f537c0 to 1401543 Compare April 22, 2021 05:05
rebeccahum
rebeccahum previously approved these changes Apr 22, 2021
View reviewed changes
Copy link
Contributor

@rebeccahum rebeccahum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very clever! I love how you were able to eliminate the looping over and kill many birds with one stone.

@jrfnl
ProperEscapingFunction: deprecate, don't remove
a615109 
... the `public` methods and as those use the `private` properties and extending sniffs may rely on the functionality of the `public` methods, we can't removed the `private` properties yet either, so deprecating those too.
@jrfnl jrfnl added this to the 2.3.1 milestone Apr 22, 2021
@rebeccahum rebeccahum merged commit 23ec390 into develop Apr 22, 2021
@rebeccahum rebeccahum deleted the fix/669-properescaping-attribute-matching-precision branch April 22, 2021 05:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rebeccahum rebeccahum rebeccahum approved these changes

Assignees
No one assigned
Labels
Type: Bug
Projects
None yet
Milestone
2.3.1
Development

Successfully merging this pull request may close these issues.

False positive for ProperEscapingFunction.hrefSrcEscUrl when attribute with action in name is used
2 participants
@jrfnl @rebeccahum