Add tests for printf() and vprintf()

WordPress · Feb 15, 2015 · 39881e8 · 39881e8
1 parent 63cf844
commit 39881e8
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/WordPress/Sniffs/XSS/EscapeOutputSniff.php b/WordPress/Sniffs/XSS/EscapeOutputSniff.php
@@ -280,6 +280,8 @@ public function process( PHP_CodeSniffer_File $phpcsFile, $stackPtr )
 
 		$needs_sanitizing_function = false;
 
+		$function = $tokens[ $stackPtr ]['content'];
+
 		// If function, not T_ECHO nor T_PRINT
 		if ( $tokens[$stackPtr]['code'] == T_STRING ) {
 			// Skip if it is a function but is not of the printing functions ( self::needSanitizingFunctions )
@@ -337,6 +339,11 @@ public function process( PHP_CodeSniffer_File $phpcsFile, $stackPtr )
 			if ( $tokens[$i]['code'] == T_WHITESPACE )
 				continue;
 
+			if ( 'vprintf' === $function && $tokens[ $i ]['code'] === T_ARRAY ) {
+				$i++; // Skip the opening parenthesis.
+				continue;
+			}
+
 			// Wake up on concatenation characters, another part to check
 			if ( in_array( $tokens[$i]['code'], array( T_STRING_CONCAT ) ) ) {
 				$watch = true;

diff --git a/WordPress/Tests/XSS/EscapeOutputUnitTest.inc b/WordPress/Tests/XSS/EscapeOutputUnitTest.inc
@@ -69,3 +69,8 @@ die( $foo ); // Bad
 die( esc_html( $foo ) ); // OK
 
 printf( 'Hello %s', $foo ); // Bad
+printf( 'Hello %s', esc_html( $foo ) ); // OK
+printf( 'Hello %s! Hi %s!', esc_html( $foo ), $bar ); // Bad
+
+vprintf( 'Hello %s', array( $foo ) ); // Bad
+vprintf( 'Hello %s', array( esc_html( $foo ) ) ); // OK
diff --git a/WordPress/Tests/XSS/EscapeOutputUnitTest.php b/WordPress/Tests/XSS/EscapeOutputUnitTest.php
@@ -56,6 +56,8 @@ public function getErrorList()
                 65 => 1,
                 68 => 1,
                 71 => 1,
+                73 => 1,
+                75 => 1,
                );
 
     }//end getErrorList()