/** * Processes this test, when one of its tokens is encountered. * * @param PHP_CodeSniffer_File $phpcsFile The file being scanned. * @param int $stackPtr The position of the current token * in the stack passed in $tokens. * * @return void */ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) { // Merge any custom functions with the defaults, if we haven't already. if (!self::$addedCustomFunctions) { WordPress_Sniff::$sanitizingFunctions = array_merge(WordPress_Sniff::$sanitizingFunctions, array_flip($this->customSanitizingFunctions)); WordPress_Sniff::$unslashingSanitizingFunctions = array_merge(WordPress_Sniff::$unslashingSanitizingFunctions, array_flip($this->customUnslashingSanitizingFunctions)); self::$addedCustomFunctions = true; } $this->init($phpcsFile); $tokens = $phpcsFile->getTokens(); $superglobals = WordPress_Sniff::$input_superglobals; // Handling string interpolation if (T_DOUBLE_QUOTED_STRING === $tokens[$stackPtr]['code']) { foreach ($superglobals as $superglobal) { if (false !== strpos($tokens[$stackPtr]['content'], $superglobal)) { $phpcsFile->addError('Detected usage of a non-sanitized, non-validated input variable: %s', $stackPtr, null, array($tokens[$stackPtr]['content'])); return; } } return; } // Check if this is a superglobal. if (!in_array($tokens[$stackPtr]['content'], $superglobals)) { return; } // If we're overriding a superglobal with an assignment, no need to test if ($this->is_assignment($stackPtr)) { return; } // This superglobal is being validated. if ($this->is_in_isset_or_empty($stackPtr)) { return; } $array_key = $this->get_array_access_key($stackPtr); if (empty($array_key)) { return; } // Check for validation first. if (!$this->is_validated($stackPtr, $array_key, $this->check_validation_in_scope_only)) { $phpcsFile->addError('Detected usage of a non-validated input variable: %s', $stackPtr, 'InputNotValidated', array($tokens[$stackPtr]['content'])); // return; // Should we just return and not look for sanitizing functions ? } if ($this->has_whitelist_comment('sanitization', $stackPtr)) { return; } // If this is a comparison ('a' == $_POST['foo']), sanitization isn't needed. if ($this->is_comparison($stackPtr)) { return; } // Now look for sanitizing functions if (!$this->is_sanitized($stackPtr, true)) { $phpcsFile->addError('Detected usage of a non-sanitized input variable: %s', $stackPtr, 'InputNotSanitized', array($tokens[$stackPtr]['content'])); } return; }