XSS: don't flag code after an empty exit

This bug would happen when there was code like this: ```php if ( ! defined( ‘ABSPATH’ ) ) { exit; // We skipped over the semicolon, assuming the next thing would be an opening parenthesis. } // This code would get flagged as needing escaping. other_code(); ``` See WordPress#312
JDGrimes · Feb 16, 2015 · 48801f0 · 48801f0
1 parent b416691
commit 48801f0
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/WordPress/Sniffs/XSS/EscapeOutputSniff.php b/WordPress/Sniffs/XSS/EscapeOutputSniff.php
@@ -296,7 +296,7 @@ public function process( PHP_CodeSniffer_File $phpcsFile, $stackPtr )
 			$end_of_statement = $tokens[ $stackPtr ]['parenthesis_closer'];
 		}
 
-		if ( $tokens[ $stackPtr ]['code'] === T_EXIT ) {
+		if ( $tokens[ $stackPtr ]['code'] === T_EXIT && $tokens[ $stackPtr + 1 ]['code'] === T_OPEN_PARENTHESIS ) {
 			$stackPtr++; // Ignore the starting bracket
 		}
 

diff --git a/WordPress/Tests/XSS/EscapeOutputUnitTest.inc b/WordPress/Tests/XSS/EscapeOutputUnitTest.inc
@@ -83,3 +83,10 @@ do_something(
 	_x( 'Some string', 'context', 'domain' )
 	, array( $foo ) // OK
 );
+
+// There was a bug where an empty exit followed by other code would give an error.
+if ( ! defined( 'ABSPATH' ) ) {
+	exit; // OK
+} else {
+	other();
+}